Penetration Testing

Penetration Testing

Overview

Penetration testing or pen testing is the process of hacking a system with a written permission from the system owner. Unlike criminal hackers, the pen testers perform the testing with ethical intents, motives and sense of professionalism. Organizations conduct penetration testing to assess the effectiveness of their security controls and identify weaknesses of their security architecture. As opposed to criminal hackers, pentesters produce a comprehensive list of recommendations to bridge the gaps they identify and exploit.

Penetration testing is the process of undertaking simulated attacks on infrastructures, systems, and applications with the purpose of discovering exploitable vulnerabilities. Furthermore, organizations may conduct separate vulnerability assessment activities to backup their pentesting endeavors. However, bear in mind that the two are not the same concepts. Vulnerability assessments strive to identify and report potential weaknesses of information systems. Whereas penetration testing goes one step ahead and exploit those vulnerabilities as if real attack takes place.

The objective of penetration testing is to help organizations discover exploitable weaknesses before the bad actors find it out. Besides, the vulnerabilities may exist in operating systems, misconfigurations, systems, applications, firmware, hardware, and so on. Furthermore, the ethical hacker applies the same procedures and tools as the criminal hacker to identify and exploit those vulnerabilities.

The only differences between ethical hackers and crackers are the condition of permissibility and the motives behind the hack.  The ethical hackers prepare comprehensive reports detailing the steps they employ to exploit the vulnerabilities and recommendations to fix those weaknesses. However, the criminal hackers attack information systems and people with the intent of financial gain, disruptions, fame, etc.

It is imperative to have clear understanding about different testing and evaluation techniques to avoid duplication of tasks and reduce IT security expenses. This helps organizations to enhance return on security investments (ROSI) attributes.

Security Assessments

Security assessment is an evaluation of organizational assets and security controls for possible risks and threats. Moreover, it is a comprehensive review of the security of a system, application, and other platforms. Security assessment is usually performed by internal security personnel. Besides, security professionals conduct risk assessments to identify vulnerabilities in the tested environments. Security assessment endeavors finally produce recommendations to improve the security posture of the tested platforms.

Security Audits

A security audits are the evaluation of security controls but more formal processes than security assessment. Besides, it involves systematic evaluation of security controls and information systems against defined standards. Unlike security assessments, security audits require the involvement of third party or external auditors. It ensures that controls are being enforced and followed properly throughout the organization, without any concern about the potential threats and vulnerabilities. Moreover, security audits are evaluations performed with the intent of demonstrating the effectiveness of controls to third parties.

Vulnerability Assessments

Vulnerability assessment processes are conducted to identify vulnerabilities and threats, which may exploit and impact an organization financially or reputation wise. It includes discovering weaknesses in information systems, design flaws, and other security concerns. Moreover, it is the process of identifying, quantifying and prioritization of security vulnerabilities in information systems. Unlike penetration testing processes, vulnerability assessment focuses on identifying the weaknesses and would not go further to exploit them.

Penetration Testing

Penetration testing is the process of security assessment, which includes security audits and vulnerability assessments. Furthermore, it demonstrates the attack, its solution and required remedial actions.  It is all about finding out problems with the purpose of improving the overall security posture of the target system. While Vulnerability assessments are automated processes, penetration tests are manually performed by security professionals with expertise in conducting cyberattacks.

Why Penetration Testing

Penetration testing is one of the most important security practices that organizations undertake to protect their information and information systems. Moreover, organizations may primarily conduct penetration testing for one or more of the following reasons:

  • Compliance Requirements: Conducting penetration testing may help organizations to comply with legal, regulatory, industry and standardization requirements. Moreover, auditors may require penetration testing report to certify an organization’s practices. Common compliance and standardization requirements include PCI-DSS, HIPAA, GDPR, and so on.
  • Security Risks Identification and Prioritization: Penetration testing helps organizations to evaluate their ability to protect its assets due to weaknesses of security controls. Moreover, it enables them to identify and prioritize potential organizational risks. Companies conduct pen test to find weaknesses in the exiting controls or to deploy controls if there are none in place.  The purpose of these endeavors is to protect the network infrastructures, applications, systems, endpoints, users and facilities from circumvention proactively.
  • Leveraging a Proactive Security Posture: In today’s world, there are myriad of cyberattacks that emanates from different threat actors. Moreover, company should deploy different security controls in a defense in depth manner to avert these attacks. Besides, organizations should primarily adopt preventive and proactive secure measures to protect their information and information systems. Penetration testing is therefore one of these proactive safeguards with the focus of exploiting vulnerabilities before the bad guys do. Additionally, company should have a portfolio of security controls, such as encryptions, SIEM, firewalls, rather than depending on a single control. 
  • Security Controls Effectiveness Evaluation: Organizations should continuously evaluate the effectiveness of security controls to determine if they are providing enough protection to information system. These endeavors should be supported by penetration testing and vulnerability management strategies. The evaluation helps to modify and upgrade existing controls to cope with security threats.

Type of Penetration Testing

Penetration testing is one of the crucial components of information security. Moreover, the purpose of information security is primarily to ensure confidentiality, integrity and availability (CIA Triad) of information. Ethical hackers or pen testers will apply comprehensive steps to exploit identified vulnerabilities in the information and information systems. However, the testing process should emulate real world attack scenarios to mercilessly exploit the weaknesses and improve the success rates.

Moreover, pen testers should use same procedures and tools the real attacker would use to identify and exploit those vulnerabilities. Besides, unlike crackers, all ethical hackers wear white hats.

There are three major types of penetration testing namely white-box, black-box and gray-box testing. Moreover, these types of pen tests depend on the amount of information the target organization provides to the pen testers.

White-box Testing

White- or crystal-box testing is a type of penetration testing in which the pen testers have complete knowledge of the systems and applications of the target organization. This test is mostly conducted by internal security professionals who have full knowledge of the security controls and their architecture. Moreover, organizations may hire pen testers to perform the test but will provide them detail information about the target systems. Besides, the insider knowledge will help the testers to shorten the duration of the attack and find security flaws easily.

In white-box testing, the pen testers have privileged access to configuration information, network maps and source codes of the system. The aim of this test type is to identify and exploit potential weaknesses in various areas of the target organization. It is the most effective to uncover vulnerabilities but less realistic than black-box testing.

Black-box Testing

Black-box testing is a type of penetration testing in which the ethical hacker has zero knowledge about the target systems. This type of testing mimics the real world cyberattacks and is the most effective in discovering inherent security weaknesses. Moreover, the pen tester blindly attacks target systems from an outsider point of view and generate reports.

Gray-box Testing

Gray-box testing is a type of penetration testing that combines the features of both white-box and black-box testing methods. Moreover, it is a test in which the pen tester has limited prior knowledge about the target system. The organization will provide some information to the pen tester and the tester in turn will discover other remaining details.

Blue vs Red Team

The penetration testing types discussed earlier goes a long way in discovering vulnerabilities and exploiting them, including zero-day vulnerabilities. However, these security practices may have their own benefits and drawback. Pen testers employ various automated vulnerability scanning tools and these tools may generate false negatives and false positives at times. Therefore, organizations should complement these tests and establish additional security measures to protect their data, infrastructures and systems. And that is where the notion of blue and red teaming and other stringent security measures comes into play.

Organizations develop blue-red teaming exercises to simulate real world attack scenarios in which one team plays an attacking role (red team) while another takes a defensive role (blue team). However, these cybersecurity teaming structures should never replace penetration testing endeavors rather it should augment it.

Blue Team

The blue team plays a defensive role in the exercises and employs protective measures to detect and avert attacks from the red team. Moreover, the team is responsible for analyzing security controls effectiveness and efficiency in protecting information and information systems.

Read Team

A red team plays an offensive role and is formed with the intention of identifying and assessing vulnerabilities in information systems. Moreover, the team plays similar role with penetration testers or ethical hackers. And they identify potential vulnerabilities and exploit them from an attackers’ perspective.

Phases of Penetration Testing

A penetration testing, as discussed above, is the process of identifying security vulnerabilities in information systems and trying to exploit them. However, the pen testers should have clear rules of engagement with their clients before starting any activity. Meaning, the two parties should enterer into binding written agreements by clearly defining the scope and the duration of the test. Because, penetration testing is an intrusive activity by nature and may cause business disruptions. Therefore, the document that contains and dictates the rules of engagement shall be a playbook for the pen testers.

The pen testers will finally prepare detailed report for both the technical personnel and senior management.  Moreover, the reports of results of the penetration testing play significant role in finding security flaws and patching them. Furthermore, the penetration testing is a crucial activity that every organization should be doing to manage vulnerabilities and potential exposures. organization should be doing to manage vulnerabilities and potential exposures.

When conducting the penetration testing process, the pen testers shall employ the following major phases:

Planning and Preparation

Planning and preparation phase is one of the most important phases of penetration testing. In this phase, the pen tester and the target organization enter into formal agreement. Moreover, both parties define and agree on the scope of the work, the duration and formulate the rules of engagements. Besides, in this phase, the pen testers get explicit authorization or greenlight to start the ethical hacking.

Reconnaissance

Reconnaissance is the phase in which the pen testers gather every possible piece of information about the target. The testers collect information from both public spaces and secret sources without being detected by the target. In fact, the sources of information may include the Internet, official website, DNS records, social media and similar avenues.

The pen testers will apply different methodologies to collect just enough information. They may gather information through social engineering, search engines, spear phishing, open source intelligent (OSINT) and so on methods.

Scanning and Discovery

After the reconnaissance phase, the pen testers will have enough information about the target. Moreover, they will make use of the gathered information to conduct the scanning and discovery processes. The pen testers will specially use a host of automated scanning tools and manual procedures in this phase.  Besides, the tools may include but not limited to, Metasploit, Nmap, Netscan, wireshark, Netcraft, SSDP, Nikto, and Burp Suite.

The pen testers will perform network scanning, banner grabbing, and vulnerability scanning on the target network. The objectives of these scans will be to identify open and closed ports, operating system, services, security controls and more. Besides, the ethical hacker initiates active connection with the target system in this phase to gather more information.

Exploitation

This is the most important and interesting phase of the penetration testing process. In this phase, the pen testers actually exploit the identified vulnerabilities and attempt to gain access to the target system. Moreover, they seek to use manual and automated exploitation tools to attempt to defeat the security controls put in place.

This phase is where the pen testers practically prove that there exist potential vulnerabilities in the target system. The pen testers do the hacking using an array of technical approaches and social engineering methods to exploit the vulnerabilities. The ethical hackers commonly use Metasploit framework to automatically execute exploitation against the target systems. Moreover, they may install malwares such as rootkit to persistently maintain their foothold and further compromise the target system.

Reporting

The pen testers will finally summarize the results of the penetration testing and make formal recommendations to fix the vulnerabilities. However, they produce the document throughout the entire testing process by capturing all the activities performed and vulnerabilities identified. Meaning, they record every bit and piece of information that happened during the whole process and submit the final report.

The documentation will serve as a baseline for upcoming penetration testing engagements. Furthermore, it should be stored in a secure environment, because it contains sensitive organizational information.

Penetration Testing Tools

There are tons of ethical hacking tools that professionals can rely on and use to hack systems. The following are some of the common penetration testing and vulnerability scanning tools in use today in the industry:

  • Metasploit
  • Nessus
  • Kali
  • John The Ripper
  • Wireshark:
  • Burp Suite
  • Nikto
  • OpenVAS

We will present detailed information about these and more penetration testing tools in an upcoming episode.