Penetration testing, also called pen testing or ethical hacking, is the practice of testing a computer system, network or web application to find security vulnerabilities that an attacker could exploit.
Penetration testing can be automated with software applications or performed manually. Either way, the process involves gathering information about the target before the test, identifying possible entry points, attempting to break in -- either virtually or for real -- and reporting back the findings.
The main objective of penetration testing is to identify security weaknesses.
Penetration testing can also be used to test an organization's security policy, its adherence to compliance requirements, its employees' security awareness and the organization's ability to identify and respond to security incidents.
Typically, the information about security weaknesses that are identified or exploited through pen testing is aggregated and provided to the organization's IT and network system managers, enabling them to make strategic decisions and prioritize remediation efforts.
Penetration tests are also sometimes called white hat attacks because in a pen test, the good guys are attempting to break in.
A penetration test is a simulated cyber attack against your computer system to check for exploitable vulnerabilities. In the context of web application security, penetration testing is commonly used to augment a web application firewall (WAF).
Pen testing can involve the attempted breaching of any number of application systems, (e.g., application protocol interfaces (APIs), frontend/backend servers) to uncover vulnerabilities, such as unsanitized inputs that are susceptible to code injection attacks.
Insights provided by the penetration test can be used to fine-tune your WAF security policies and patch detected vulnerabilities.
The pen testing process can be broken down into five stages.
The first stage involves:
Defining the scope and goals of a test, including the systems to be addressed and the testing methods to be used.
Gathering intelligence (e.g., network and domain names, mail server) to better understand how a target works and its potential vulnerabilities.
The next step is to understand how the target application will respond to various intrusion attempts. This is typically done using:
Static analysis – Inspecting an application’s code to estimate the way it behaves while running. These tools can scan the entirety of the code in a single pass.
Dynamic analysis – Inspecting an application’s code in a running state. This is a more practical way of scanning, as it provides a real-time view into an application’s performance.
This stage uses web application attacks, such as cross-site scripting, SQL injection and backdoors, to uncover a target’s vulnerabilities. Testers then try and exploit these vulnerabilities, typically by escalating privileges, stealing data, intercepting traffic, etc., to understand the damage they can cause.
The goal of this stage is to see if the vulnerability can be used to achieve a persistent presence in the exploited system— long enough for a bad actor to gain in-depth access. The idea is to imitate advanced persistent threats, which often remain in a system for months in order to steal an organization’s most sensitive data.
The results of the penetration test are then compiled into a report detailing:
Specific vulnerabilities that were exploited
Sensitive data that was accessed
The amount of time the pen tester was able to remain in the system undetected
This information is analyzed by security personnel to help configure an enterprise’s WAF settings and other application security solutions to patch vulnerabilities and protect against future attacks.
White box pen test - In a white box test, the hacker will be provided with some information ahead of time regarding the target company’s security info.
Black box pen test - Also known as a ‘blind’ test, this is one where the hacker is given no background information besides the name of the target company.
Covert pen test - Also known as a ‘double-blind’ pen test, this is a situation where almost no one in the company is aware that the pen test is happening, including the IT and security professionals who will be responding to the attack. For covert tests, it is especially important for the hacker to have the scope and other details of the test in writing beforehand to avoid any problems with law enforcement.
External pen test - In an external test, the ethical hacker goes up against the company’s external-facing technology, such as their website and external network servers. In some cases, the hacker may not even be allowed to enter the company’s building. This can mean conducting the attack from a remote location or carrying out the test from a truck or van parked nearby.
Internal pen test - In an internal test, the ethical hacker performs the test from the company’s internal network. This kind of test is useful in determining how much damage a disgruntled employee can cause from behind the company’s firewall.
Pen tests start with a phase of reconnaissance, during which an ethical hacker spends time gathering data and information that they will use to plan their simulated attack.
After that, the focus becomes gaining and maintaining access to the target system, which requires a broad set of tools.
Tools for attack include software designed to produce
brute-force attacks or
There is also hardware specifically designed for pen testing, such as
small inconspicuous boxes that can be plugged into a computer on the network to provide the hacker with remote access to that network.
In addition, an ethical hacker may use social engineering techniques to find vulnerabilities.
For example, sending phishing emails to company employees, or even disguising themselves as delivery people to gain physical access to the building.
The hacker wraps up the test by covering their tracks; this means removing any embedded hardware and doing everything else they can to avoid detection and leave the target system exactly how they found it.
Once the threats and vulnerabilities have been evaluated, the penetration testing should address the risks identified throughout the environment.
The penetration testing should be appropriate for the complexity and size of an organization.
All locations of sensitive data; all key applications that store, process or transmit such data; all key network connections; and all key access points should be included.
The penetration testing should attempt to exploit security vulnerabilities and weaknesses throughout the environment, attempting to penetrate both at the network level and key applications.
The goal of penetration testing is to determine if unauthorized access to key systems and files can be achieved.
If access is achieved, the vulnerability should be corrected and the penetration testing re-performed until the test is clean and no longer allows unauthorized access or other malicious activity.
Identifies application layer flaws such as Cross Site Request Forgery, Cross Site Scripting, Injection Flaws, Weak Session Management, Insecure Direct Object References and more.
Focuses on identifying network and system level flaws including Misconfigurations, Product-specific vulnerabilities, Wireless Network Vulnerabilities, Rogue Services, Weak Passwords, and Protocols.
Also known as physical intrusion testing, this testing reveals opportunities to compromise physical barriers such as locks, sensors, cameras, mantraps and more.
Aims to uncover hardware and software level flaws with Internet of Things devices including Weak Passwords, Insecure Protocols, APIS, or Communication Channels, Misconfigurations and more.
The Risk Engineering Approach for Penetration Testing typically involves the following six steps:
Information Gathering — the stage of reconnaissance against the target.
Threat Modeling — identifying and categorizing assets, threats, and threats communities.
Vulnerability Analysis — discovering flaws in systems and applications using a set of tools, both commercially available tools and internally developed.
Exploitation — simulating a real-world attack to document any vulnerabilities.
Post-Exploitation — determining the value of compromise, considering data or network sensitivity.
Reporting — outlining the findings with suggestions for prioritizing fixes. For us, that means walking through the results with you hand-in-hand.
Penetration testing can either be done in-house by your own experts using pen testing tools, or you can outsource to a penetration testing services provider.
A penetration test starts with the security professional enumerating the target network to find vulnerable systems and/or accounts.
This means scanning each system on the network for open ports that have services running on them.
It is extremely rare that an entire network has every service configured correctly, properly password protected, and fully patched.
Once the penetration tester has a good understanding of the network and the vulnerabilities that are present, he/she will use a penetration testing tool to exploit a vulnerability in order to gain unwelcomed access.
Security professionals do not just target systems, however. Often, a pen tester targets users on a network through phishing emails, pre-text calling, or onsite social engineering.
Your users present an additional risk factor as well. Attacking a network via human error or compromised credentials is nothing new. If the continuous cybersecurity attacks and data breaches have taught us anything, it’s that the easiest way for a hacker to enter a network and steal data or funds is still through network users.
Compromised credentials are the top attack vector across reported data breaches year after year, a trend proven by the Verizon Data Breach Report. Part of a penetration test’s job is to resolve the aforementioned security threat caused by user error. A pen tester will attempt brute-force password guessing of discovered accounts to gain access to systems and applications. While compromising one machine can lead to a breach, in a real-life scenario an attacker will typically use lateral movement to eventually land on a critical asset.
Another common way to test the security of your network users is through a simulated phishing attack. Phishing attacks use personalized communication methods to convince the target to do something that’s not in their best interest. For example, a phishing attack might convince a user that it’s time for a "mandatory password reset" and to click on an embedded email link. Whether clicking on the malicious link drops malware or it simply gives the attacker the door they need to steal credentials for future use, a phishing attack is one of the easiest ways to exploit network users. If you are looking to test your users’ awareness around phishing attacks, make sure that the penetration testing tool you use has these capabilities.
A penetration test is a crucial component to network security. Through these tests a business can identify:
Security vulnerabilities before a hacker does
Gaps in information security compliance
The response time of their information security team, i.e. how long it takes the team to realize that there is a breach and mitigate the impact
The potential real-world effect of a data breach or cybersecurity attack
Actionable remediation guidance
Through penetration testing, security professionals can effectively find and test the security of multi-tier network architectures, custom applications, web services, and other IT components. These penetration testing tools and services help you gain fast insight into the areas of highest risk so that you may effectively plan security budgets and projects. Thoroughly testing the entirety of a business's IT infrastructure is imperative to taking the precautions needed to secure vital data from cybersecurity hackers, while simultaneously improving the response time of an IT department in the event of an attack.