A penetration test, colloquially known as a pen test, pentest or ethical hacking, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system. The test is performed to identify both weaknesses (also referred to as vulnerabilities), including the potential for unauthorized parties to gain access to the system’s features and data, as well as strengths, enabling a full risk assessment to be completed.
The process typically identifies the target systems and a particular goal, then reviews available information and undertakes various means to attain that goal. A penetration test target may be a white box (which provides background and system information) or black box (which provides only basic or no information except the company name). A gray box penetration test is a combination of the two (where limited knowledge of the target is shared with the auditor). A penetration test can help determine whether a system is vulnerable to attack if the defenses were sufficient, and which defenses (if any) the test defeated.
Why Even Test?
In this day and age, no organization is an island (or can afford to be). Even organizations that are 100% confident with their own first-party systems and security will still have third-party systems within their domain. After all, even enterprise systems vendors that make and implement secure enterprise systems for other companies wouldn’t also be expected to make their own HR or accounting systems as well, and that is where some of the dangers lie.
Organizations should be concerned about the risks their vendors expose them to, and even the risks that pose to other companies and individuals as a product or service vendor themselves. As a 3rd-party vendor, having a strong security program can be a way for them to put their existing clients & partners at ease. It can also be a market differentiator, giving them a leg up on their competition. Having regular check-ups (penetration tests) is a good way to verify their program/security for themselves as well as their clients.
What Questions Does a Penetration Test Answer?
- Does my IT environment measure up to audit standards such as PCI regulations?
- Can a hacker get to our internal and systems data from the Internet?
- Can you simulate real-world tactics and identify what an automatic vulnerability scan misses?
- Is my web-hosting site and service providers connected to my network as securely as they say they are?
- Are things like my email traffic or files available for others to see?
What Are Some Common Objectives of a Penetration Test?
- Provide auditors with the necessary information to obtain industry certification and meet requirements.
- Provide management with an understanding of the current level of security risk from Internet-accessible services.
- Provide recommendations and enough detail to facilitate a cost-effective and targeted mitigation approach.
- Create a basis for future decisions regarding IT strategy, requirements, and resource allocation.
Penetration Testing Phases
- Reconnaissance – The act of gathering important information on a target system. This information can be used to better attack the target. For example, open-source search engines can be used to find data that can be used in a social engineering attack.
- Scanning – Uses technical tools to further the attacker’s knowledge of the system. For example, nmap can be used to scan for open ports.
- Gaining Access – Using the data gathered in the reconnaissance and scanning phases, the attacker can use a payload to exploit the targeted system. For example, Metasploit can be used to automate attacks on known vulnerabilities.
- Maintaining Access – Maintaining access requires taking the steps involved in being able to be persistently within the target environment in order to gather as much data as possible.
- Covering Tracks – The attacker must clear any trace of compromising the victim system, any type of data gathered, log events, in order to remain anonymous.