A penetration test (or ‘pen test’) is a simulated cyber attack through which you can identify the very vulnerabilities that an attacker would use to breach your network or your applications.
Penetration testing uses various manual techniques combined with automated tools to analyse the target for potential vulnerabilities and then attempts to exploit them. Exploitable vulnerabilities typically include known security flaws in hardware or software, poor configuration, or operational weaknesses.
The test is usually carried out from the perspective of a real-world attacker and includes exploiting vulnerabilities to identify possible countermeasures, prioritising the weaknesses by severity, and providing guidance on how to fix the vulnerabilities identified.
Penetration testing can be compared to hiring a ‘burglar’ to break into a building and accessing valuables to test your home security defences and, if the burglar is successful, to gain insights into how they bypassed your security measures so you can improve them.
Types of Penetration Test
The most common forms of penetration testing are application testing, which identifies vulnerabilities in business applications, and infrastructure testing, in which servers, firewalls and other systems are tested for weaknesses in an attempt to move through the target network.
Other types of penetration testing include mobile application, client-server, wireless, end-user device and telephony or VOIP testing.
Additionally, staff-focused testing such as phishing and social engineering can be undertaken to assess the success of security training within the company.
Penetration Testing versus Vulnerability Scanning
Penetration testing is often confused with automated vulnerability scanning. Vulnerability scanning uses automated tools to scan the environment and ensure that security settings are applied consistently, and the systems are up to date. Scan reports are often used to identify outdated software components that need to be patched to fix a vulnerability.
The objective of vulnerability scanning (and vulnerability management more widely) is to validate that the minimum-security requirements are applied in the most up to date manner.
Penetration testing goes a step further and replicates a real-world attack. This often starts with a scan to identify ‘low hanging fruit’ weaknesses, but also includes the use of different tools and manual techniques to confirm the vulnerability can be exploited and to assess the severity of the weakness. It also includes the human and contextual benefits that are not available when using software only.
Why is Penetration Testing Necessary?
Penetration testing is a security assurance exercise. It provides independent validation that your security defences are sufficiently resilient. This is important for multiple reasons including:
- Verifying that New Applications are Secure: When a new application is being deployed, regardless of the host, it is a good idea to carry out an assessment, especially if sensitive data will be stored within the application. Testing should be a key activity within your secure development lifecycle.
- Understanding the Security Posture of your Organisation: Testing helps confirm your defences are sufficient and resilient. This will be important to your senior management and also to organisations you work with or hold data on behalf of.
- Regulatory Compliance: Laws and regulations require good security assurance including testing. Article 32 of GDPR, for example, refers to data controllers implementing measures including “a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing”
- Contractual Compliance: It is increasingly common for supplier contracts to mandate annual pen-testing of systems that are important to the services being provided by the supplier.
- Improved Threat Awareness: Sometimes similar organisations are exposed to similar threats. Carrying out assessments using the same methods that perpetrators use to attack other companies in the same industry gives insight into how exposed the company is and how to prevent the organisation from being the next victim.
Stages of Penetration Testing
A penetration test is typically delivered over the following testing phases:
1. Pre-Engagement Interactions
In this stage the tester or testing company will work with you to define the scope of the test, as well as any objectives, strategies, legal implications and/or constraints.
2. Reconnaissance or OSINT
The tester will try to collate as much open-source intelligence as possible about the organisation in this stage. Depending on the type of test being carried out, the type of information will vary.
3. Vulnerability Identification
During this stage, the tester will use all the potential targets gathered in the previous stage and model the attack vectors which will be used on the target. It is also in this phase that the tester will use vulnerability scanners, and other manual or automated tools on the target to discover any exploitable vulnerabilities.
With all the targets and vulnerabilities mapped, the tester will attempt to use exploits to gain entry to systems and/or networks. The end goal of this phase is to see how far in the environment the attacker is able to get (within the defined scope).
5. Analysis & Recommendation
During this stage the tester will document how the access was gained and provide remediations to avoid future exploitations. Afterwards, the tester will sanitize the environment by reconfiguring any access obtained to penetrate the environment and cleaning up any traces of the attack.
This is where a written report of the test provided to the client, including recommendations to remediate vulnerabilities. It is also in this stage where the company has the opportunity to review any findings with the tester during a debrief workshop.
If your organisation needs help running a penetration test on an application or infrastructure, we’re here to help. We can assess your environment and run a full penetration test. We can also advise you on any follow-up actions or remediations from our findings. Contact us for a friendly chat.