A penetration test, or pen test, is a simulated cyberattack against a computer system to identify weaknesses that malicious hackers could use to gain unauthorized access to data and computing resources. Pen tests aim to identify as many potential security threats and vulnerabilities as possible in an environment. When conducted effectively and regularly, pen tests can help businesses identify and fix security weaknesses before cybercriminals find and exploit them. By conducting regular pen tests, organizations can get feedback on the effectiveness of their security processes and improve their overall security posture.
A third-party security firm or an internal security team can carry out a penetration test. Security professionals who perform penetration testing are called ethical hackers. Ethical hackers use various tools and techniques to conduct pen tests, depending on the type and scope of the test. A pen test may assess an entire organization or focus on a specific target, such as a network, host, cloud service, web or mobile application, or device.
More Than Vulnerability Assessments
Another common type of security testing is a vulnerability assessment. A vulnerability assessment is a structured review of the vulnerabilities in a computer or information system. Penetration tests differ from vulnerability assessments in their focus and depth. While vulnerability assessments help to identify and categorize known flaws in a system, pen tests go further by actively exploiting the flaws to mimic the behavior of real-world attackers. In this way, pen tests can uncover known and unknown vulnerabilities while objectively assessing the potential damage and risk of a cyberattack.
Why do I need a Penetration Test?
Penetration tests are essential to a holistic security strategy that helps businesses prevent, detect, and respond to cyberattacks. Pen tests can help organizations uncover dangerous vulnerabilities and exploits before an attacker. Additionally, they can help companies comply with data security regulations that mandate specific security controls and periodic security testing. As part of a complete security program, penetration testing can help businesses protect their revenue and reputation from cyber threats.
Penetration tests offer many benefits:
- They go beyond simple vulnerability scanning to exploit discovered vulnerabilities. In doing so, they provide a better understanding of your level of exposure than vulnerability scanning alone.
- They may reveal previously undiscovered vulnerabilities in your environment. Additionally, they can help identify avenues of attack not previously considered.
- They help organizations comply with privacy legislation and industry regulations, such as GDPR, HIPAA, and PCI.
- They aid security staff in developing and testing incident detection and response capabilities in a controlled environment.
Types of Penetration Tests
Penetration tests vary in their scope, scale, and duration. They also differ in the information and access available to the tester. Security professionals often categorize pen tests as external or internal, closed or open, and cooperative or covert.
External vs. Internal
An external penetration test begins outside an organization or application’s perimeter defenses or access boundaries. It simulates attacks from external threats and is often used to identify potential entry points into a network, system, or application. On the other hand, an internal penetration test starts on the inside, usually by providing the tester access to the internal network or supplying the tester with a user account for an application.
While the goal of an external pen test is most often to breach exterior defenses, an internal pen test targets the security controls intended to protect resources from internal threats. Also, note that an external pen test may evolve into an internal one once the tester establishes a foothold in the environment.
Closed-Box vs. Open-Box
Another way to categorize a pen test is by the amount of information made available to the tester, which ranges from zero knowledge to full disclosure.
- Closed-box tests are conducted without prior knowledge of the target or its internal operation. The tester is responsible for uncovering information about the target using public sources, automated tools, and manual techniques. Closed-box testing is also known as black-box testing.
- Open-box tests are performed with full knowledge of the target. The tester may acquire information through staff interviews, source code review, network and architecture diagrams, API specifications, communication flows, and internal algorithms used by an application. Open-box testing is also known as white-box or crystal-box testing.
- Gray-box tests are executed with partial knowledge of the target. The client provides some, but not all, information to the tester, which may include elevated user permissions and various product documentation.
Cooperative vs. Covert
Finally, a pen test may be classified based on the level of cooperation between the penetration testers and an organization’s IT staff.
- Cooperative pen tests are conducted with the full knowledge and cooperation of an organization’s IT department. The testers and IT staff work closely to scope and support the pentest.
- Covert pen tests are performed with the approval of an organization’s upper management but without the knowledge of the IT staff. The goals of a covert pen test are two-fold: 1) to closely simulate a real-world attack and 2) to test the responsiveness and effectiveness of a security program. Covert pen tests, also known as red teaming, are typically conducted over extended periods, involve more personnel, and are more costly than cooperative pen tests.
5 Phases of Penetration Testing
According to EC-Council, professional penetration tests have five distinct phases:
- Reconnaissance
- Scanning
- Vulnerability assessment
- Exploitation
- Reporting
Reconnaissance
During the initial phase of a penetration test, the tester gathers as much information as possible about the target environment, which the tester uses to develop an attack strategy. The tester may obtain information directly from the client, compile it from public sources, such as search engines, or collect it using automated tools or manual techniques. The success of a pen test and the quality of its findings often come down to diligence during the reconnaissance phase.
Scanning
The second penetration testing phase involves using automated tools, such as vulnerability scanners, to enumerate the target environment. The tester will commonly look for missing security controls, vulnerable software versions, insecure application features, hidden or unprotected resources, and system misconfigurations.
Vulnerability assessment
Armed with information from the first two phases, the tester will identify specific vulnerabilities to exploit. The tester will then prioritize vulnerabilities based on severity and level of effort, focusing on high-severity and low-effort vulnerabilities first. If these fail to yield results, the tester will move on to lower severity vulnerabilities and exploits requiring more effort.
Exploitation
After completing the vulnerability assessment and formulating an attack strategy, the tester proceeds to the exploitation phase. During this phase, the tester uses one or more vulnerabilities to gain access and elevate permissions. The process of elevating permissions is known as privilege escalation. The tester must take care to avoid disrupting services for other users or leaving the target system in an insecure state.
Reporting
During the final penetration testing phase, the tester prepares a report documenting the test results. In the report, the tester summarizes the findings, describes each vulnerability in detail, outlines the risk to the organization, and offers recommendations for remediating or mitigating the vulnerabilities. The report will often include a detailed discussion of successful exploits and the resulting access gained.
How often should I get a penetration test?
There is no definitive answer to how often you should perform a penetration test. It depends on various factors, such as your organization’s size, complexity, industry, and the frequency of changes and updates to your IT environment. At a minimum, GreyKeep Security recommends performing a penetration test annually. However, more frequent testing may be appropriate in the following cases:
- You perform a significant upgrade to your infrastructure or applications.
- Your organization has a high-risk profile or stringent privacy requirements.
- Your organization undergoes a significant change in structure, such as a merger or acquisition.
- You detect malicious activity within your environment.
- You remediate a large number of vulnerabilities from a previous penetration test.
Also, understand that pen testing is not a one-time activity but a continuous process that helps you improve your security posture and reduce risk over time. You can supplement penetration testing with automated vulnerability scanning; however, vulnerability scanning is not a substitute for pen testing, as it cannot exploit flaws or mimic attackers’ behavior.
What should I expect during my first pen test?
The entire penetration testing cycle, from initial contact to final report delivery, can take 3-6 weeks, depending on scope, scheduling, and availability. This includes 1-4 weeks of testing on average. Most penetration tests conducted by professional security firms follow a similar structure consisting of the following steps and milestones:
1. Introductory consultation – The security firm meets with the client to discuss the client’s needs and review the firm’s services.
2. Scoping – The firm assigns a project manager (PM) to manage the engagement. The PM schedules a scoping call to discuss the testing requirements in more detail. Scoping allows the firm to plan and price the pen test accurately.
3. Rules of engagement (ROE) – The PM generates a test plan that outlines the activities to be undertaken by the pen test team during the engagement. Additionally, the ROE specifies when and how the team will conduct testing. It also documents any restrictions to testing, such as blackout dates/times and off-limits systems, and gives the pen test team approval to conduct testing.
4. Project kick-off. The PM schedules a kick-off call to align stakeholders and testers. The kick-off usually coincides with the first day of testing. At this point, the pen test is underway. You usually won’t notice the testing activity unless you closely monitor system logs.
5. Status updates. The PM schedules periodic status calls to review test progress, discuss current findings, and resolve any blockers to progress. In addition, the project manager may provide daily updates over email or direct messaging apps.
6. Report generation. Upon completion of testing, the pen test team generates a report documenting its findings. The PM delivers the report to the client along with vulnerability scanner output, log files, and other supporting information.
7. Read-out call. Following the delivery of the final report, the PM schedules a call to discuss the pen test results and answer any questions.
Need a penetration test?
Does your organization need a penetration test or other cybersecurity services? GreyKeep Security offers a full suite of security services, from penetration testing to complete security program development. Contact GreyKeep Security for a no-cost introductory consultation. Let us help you become more secure today!