Penetration testing or as most people in the IT security field call it, pen testing, is the testing of software and hardware for vulnerabilities or weaknesses that an attacker could exploit. In the IT world this usually applies, but is not limited to, PCs, networks, and web applications. Also known as “red teaming” pen testing is done by everyone from government agencies to law enforcement, military, and private companies.
Penetration Testing vs. Vulnerability Assessments
So what makes penetration testing different from your standard vulnerability assessments? A vulnerability assessment looks for most of your standard weaknesses and reports them back. These are usually automated and have little to no human interaction once the scan takes place. A penetration test takes it a step further. Once it finds those vulnerabilities, they are taken advantage of and actually exploited. Think about it like this, what would make the bigger impact: A report you show to your boss, showing your website is vulnerable to SQL injection, or a report showing that your website was compromised and information was stolen because of the SQL injection vulnerability. The biggest advantage of a penetration test is it proves the vulnerabilities found can be taken advantage of and cost your company their reputation, time and money. A vulnerability assessment is really just one step of the penetration testing process
Penetration Testing Framework
Most penetration tests can be broken down into seven main phases.
- Pre-engagement Interactions: Establishes the scope, requirements of the company, writing the contract, etc. Anything that you do before starting the actual penetration test.
- Intelligence Gathering: One of the most important steps in any penetration test is the intelligence gathering phase. Here you try to get as much information as possible about the target company to make your test go smoothly.
- Threat Modeling: Threat modeling is going over all of the information found in the intelligence gathering phase and determining what areas would be most vulnerable or cause the most damage.
- Vulnerability Analysis: In this stage, we start looking for vulnerabilities. What weaknesses can we find on your website? Your physical location?
- Exploitation: Here we finally take advantage of all the information we’ve gather and exploit one or more of the vulnerabilities found.
- Post-Exploitation: We’re in. Now we see where we can go. Can we elevate our privileges? Pivot to other machines? This is where we show the company what could really happen if someone attacked their system.
- Reporting: One of the least fun, but most important stages for any pen-tester is reporting. We gather all of the information we found, proof of concept code or exploits, and compile it into an easily followed report, that anyone can understand.
- Improve security: A well done penetration test can improve the security of any company. By coming in and looking at your network from an outsider’s perspective, there is almost a guarantee they will see something that you or your team have missed before. Not everyone can put themselves in the mindset of the “bad guy” and it always helps to have someone that isn’t malicious attack your network before someone that is malicious does.
- Bring focus: One of the most difficult decisions for any security team is where to spend money. Most places have a fairly limited budget and you need to stretch it to get the most bang for your buck. Having a penetration test can show you the exact areas you need to improve in. Whether it’s physical security, user training, patching, upgraded hardware, etc.
- **Reporting: **One of the biggest advantage of a penetration test vs a vulnerability assessment is the report. This is a gold mine of information, that you may or may not have known about your network. Read it. Understand it. Use it and you will get the most out of your test.
- Improve business: Nobody wants to have their company in the news for the latest breach or release of information. Conducting even just one penetration test can greatly increase your current security program, taking it to the next level, decreasing your chances of being breached and also decreases the time to discovery in case of a breach.
- The cost: Penetration tests costs can vary greatly from company to company, but usually is a larger expense and can be difficult for some smaller companies to justify. If this is the case, you can always perform your own.
- Execution: Limiting the scope of penetration testing really hurts the outcome and can give false assurances. In order for a pen test to be effective, we have to try our best to keep the scope open as much as possible. Remember, attackers won’t have any rules when they try and breach your security.
There are many offensive security companies that specialize in many different penetration tests, including social engineering, physical assessments, web application pen testing and any combination of. If you are planning on having a penetration test done, or even conducting your own, remember how to get the most of the test and always do research on the proposed company. One of the most important part of any penetration test is the report, remember to use that to your advantage.
- PenTest-Standard.org – The Pentest-Standard page was created by some of the biggest names in the security field to create a standard for both security companies and businesses to follow, to get the most out of any penetration test.
- Metasploit – Metasploit is one of the most widely used penetration testing software available. It can be used to go through every stage of a penetration test.