What is Penetration Testing?

Penetration testing, also known as “pen testing” or “pentesting,” is a process intended to expose hidden weaknesses in a system’s security countermeasures and controls. Typically conducted by an authorized outsider, pen tests simulate different kinds of attacks on all elements of a system. The goal is to discover vulnerabilities that the system’s creators, as well as security teams, may have overlooked.

Who performs penetration tests?

Pen tests are almost always performed by people who did not have a role in creating the target system. Indeed, quite often the pen tester, or testers, do not work for the entity that built the system at all. There are several reasons for this. For one thing, members of dev, test and security teams are too close to what they’ve built. They may have blind spots about security that can be uncovered by a person who comes to the system with fresh eyes and no preconceptions.

Additionally, pen testing is a distinct skillset, one that often requires purpose-built tools. It takes thinking like a hacker, and in fact, some pen testers are actually former “black hat” or criminal hackers who have decided to put their skills in a legitimate context. As the old saying goes, it takes a thief to catch a thief. Pen testers may have special training and certifications as well. In most cases, employees of the organization that built the system lack these qualifications.

Pen testers are sometimes referred to as “ethical hackers,” but the two roles are not the same. At a basic level, yes, a pen tester is ethically hacking the target. They have permission to “attack” and uncover security flaws that they have agreed not to exploit.

The difference is partly structural. Pen testing usually follows a preset series of processes, with a disciplined approach to identifying and documenting security problems. Ethical hacking, in contrast, tends to be more open-ended. An ethical hacker might engage in a “bug bounty” program, for instance, and be rewarded for discovering a previously unknown vulnerability. However, that is not the same as doing a thorough pen test and documenting what the process discovered.

Stages of pen testing

A pen test typically occurs in five stages:

Reconnaissance

This is an information gathering step that takes place before the tester starts the penetration testing process. The tester learns the parameters of the target system and prepares a plan of attack.

Scanning

The tester scans the target with the goal of determining how its security systems will react to attempts at breaching its controls and countermeasures. Almost always accomplished with the help of automated pen testing tools, the scans can find open ports, servers left with default admin accounts enabled, vulnerable misconfigurations and other hidden ways into the target system.

Access

At this stage, it is time for the pen tester to get inside the target system, based on information discovered during the scanning stage. This may involve using techniques like SQL injection (SQLI) to retrieve administrative user credentials from a (theoretically secure) database. Once inside, the pen tester will map out how much damage an actual attacker could do with this level of access. For example, if a pen tester is able to move laterally from an initial target across a network and gain access to a production application, he or she will report that an attacker could breach that system as well.

Maintaining Access

If the pen tester has done his or her job successfully, it will be possible to maintain access to the target system. This mimics the all-too-common real-life situation where malicious actors linger inside the victim’s network for months at a time. By maintaining access, the pen tester can also simulate advanced persistent threats (APTs).

Analysis and Cover Up

The pen tester concludes the test by making all traces of his or her presence disappear from the target system. Again, this is a simulation of a real cyberattack—with any executables or log events impossible to detect. This is followed by the preparation of a detailed report that documents the methods used, gaps discovered and projection of the impact of a breach, among other important information for the security team.

Types of pen tests

It is a wise practice in risk management to align the pen testing program with all relevant system types in an organization. With the idea that any connected device, application, or data source can be part of an attack surface, it makes sense to use pen testing to assess their vulnerabilities to breach. In general, it doesn’t make sense to do a penetration test on a web app, but not a mobile app. Either one could be an attack path for a malicious actor.

Pen tests fall into six broad categories:

Applications

The pen tester uses automated tools, as well as manual testing, to look for vulnerabilities inside applications and connected databases. This might mean looking at the application binaries themselves or examining authorization processes, encryption, and the potential for SQL injection and comparable attack methods.

Networks

As the organization’s security perimeter (at least in theory), the network needs to be subjected to rigorous penetration testing. The process usually involves a systematic look at administrative access controls, the secure socket layer (SSL), encrypted transport protocols, certificates, network segmentation, and more.

Cloud

With the cloud, the pen tester is looking at system configurations, application programming interfaces (APIs), and storage. The tester is also probably going to look for cloud instances that were set up without the standard policies in place. This is more common than people realize. A well-meaning but misinformed developer may deploy an application and database to a cloud platform without applying security controls or even notifying anyone that the cloud instance exists.

Software development processes

The DevOps workflow and continuous integration/continuous deployment (CI/CD) pipeline are places where developers inadvertently embed bugs and coding errors into software that make the application vulnerable to breach. With automated pen testing of DevOps and the CI/CD pipeline, the tester may find hidden vulnerabilities that cannot be detected with static code scanning. The pen tester will also try to get into the developer workflow and see if he or she can insert malicious code into the codebase. He or she will take similar actions regarding containers, such as Docker.

Devices

Hardware can be vulnerable to breach just as much as a network or an application. A pen tester will try to break into the device using vulnerabilities in its application binaries, firmware, and operating system software. It is common for pen testers to find weaknesses in devices that have not had security patches installed.

APIs

A pen tester will use a combination of manual and automated testing processes to determine if an API has any of the Open Web Application Security Project (OWASP) API Security Top 10 API vulnerabilities, as well as flaws like broken object-level authorization, a lack of rate limiting, or user authentication problems.

Benefits of Pen Testing

Pen testing offers a variety of benefits that are not available through other modes of security testing. This is not to detract from the importance and necessity of performing unit testing, functional testing, and the like. With pen testing, however, it is possible to find security flaws that other processes simply cannot uncover.

In addition, pen testing can show the entire attack chain—how the attacker discovered the vulnerability, how he or she exploited it, gained access, and maintained access. As a result, pen testing enables security teams to fix systemic problems that are otherwise invisible. An effective pen test will also show how strong a control or countermeasure really is. This is all the more significant when considered in the light of compliance with regulations like PCI DSS and GDPR

Approaches to Pen Testing

Pen tests differ in approach depending on the number and nature of exploitation targets, the level of information available to or gleaned by the tester, and the tools, skills, and resources the tester has at their disposal. Various penetration testing approaches include:

• Open-box pen testing: In an open-box approach, the pen tester gets pre-approved access to the company’s security information. Therefore, they conduct the test from an informed position. This approach saves the tester time spent guessing, leading them to identify more risks.
• Grey box approach: In a grey box approach, the hacking team is privy to partial information on the company’s system. As a result, they have a better chance of identifying high-risk vulnerabilities and prioritizing fixing them.
• Closed-box pen testing: In a closed-box or single-blind approach, the tester doesn’t get any information about the company other than its name. They make use of the most creative and unbiased tactics they can with no assumptions.
• Covert pen testing: A covert or double-blind approach is where everyday users – including IT personnel – are unaware that the test is taking place. This tests the capability of IT to respond to breaches in real time. Such a test might involve informing law enforcement upfront so as not to cause any false alarms.

Pen testing guarantees business continuity

Pen tests help maintain robust and effective network security in any organization. They help businesses

• Detect and close vulnerabilities before an external hacker exploits them
• Identify high-risk areas in the IT infrastructure and allocate security budget wisely
• Improve alertness levels and response times of in-house IT and security personnel
• Close gaps in data privacy and security compliance
• Mitigate the impact of real breaches when they occur

Thus, proper penetration testing is vital to securing IT workloads and customer data, and to keeping operations going smoothly.