Penetration testing is defined as a series of simulated attacks authorized by an organization to test for security holes in its infrastructure. This article explains penetration testing, its different types, methods, and best practices.
Table of Contents
Penetration testing is a series of simulated attacks authorized by an organization to test for security holes in its infrastructure. It is also known as pen testing.
Like financial audits and compliance audits, penetration testing is a security audit. They are designed to assess how much the company’s technical infrastructure can withstand in the context of cybercriminal activities.
Penetration testing is for any organization with a robust operational system. Specific industries, such as healthcare and finance, handle copious amounts of sensitive data. For this reason, they are regulated to maintain a sound security posture. Companies in these industries need structured pen testing to comply as well.
Pen testing is not the same as vulnerability assessment. Vulnerability assessment involves the scanning of the entire system based on existing, known threats. One example is checking if there are zombie servers that can be revived to be connected back to the company’s network.Â
A pen test uses information gleaned from vulnerability assessment to attack the system. The ease and impact of these attacks are documented and presented to the company.
Why penetration testing?
Most industries are online now thanks to cheap hardware, immense processing power, and cellular networks. This means that the stakes get higher when cybercriminals set out to attack a company’s system. In their 2022 Cybersecurity Almanac, Cisco and Cybersecurity Ventures estimated that the cost of cybercrime will hit $10.5 trillion by 2025.Â
Enterprises are waking up to these costs and damages. IBM and Ponemon Institute state in their 2021 Cost of a Data Breach report that it takes an average of 287 days for security teams to identify and contain a data breach. This is time that companies can no longer afford.
When done right, penetration testing can help organizations:
- Fine-tune security controls and policies.
- Find gaps in systems that make the entire organization vulnerable.
- Comply with regulations such as HIPAA, GDPR, and PCI DSS that demand data security and privacy.
- Spot errors that inevitably crop up during the translation of business policies to technical requirements.Â
Who does penetration testing?
This process is typically done by teams or contractors specializing in ethical hacking. The pen testing team members have compliance certifications, cybersecurity degrees, and niche certifications such as Certified Ethical Hackers (CEH). These teams work with a combination of manual and automated attacks, allowing experts to spot vulnerabilities that automation cannot pick up.
Penetration testing as a service (PTaaS) providers offer automated platforms for running pen tests. They provide a dashboard to allow organizations to choose which battery of pen tests to run and when. PTaaS provides an inexpensive option to pen test but compromises on identifying business logic holes.
An essential skill of a pen tester is the ability to think like a cybercriminal.
Tools used for penetration testing
The tools required for penetration testing vary based on the scope of the activity. At a network level, pen testers use port scanners, web proxies, and network sniffers. Application scanners and vulnerability scanners go through different layers of the system. Password crackers are used to discover weak, compromising passwords. Even phishing emails are used to test employee readiness in dealing with social engineering attacks. These tools keep varying, reflecting the ever-changing landscape of cyber threats.Â
Pen testing experts, along with the company, decide what the scope of the undertaking is and what tools are required for a successful test.
Note that success in this context is not about discovering a bug-free platform. Success is zeroing in on the exact nature and location of multiple security issues that may be hidden within the infrastructure.
Penetration testing can be classified into different types based on the area of focus. More often than not, testers use a combination of these to get a complete picture. The most common types of pen tests are:
1. Network penetration testing
- Area of Focus: Network infrastructure, both internal and external-facing network devices.
- Objective: The objective is to find vulnerabilities in network services and infrastructure. This includes wireless networks and relevant protocols.
- Attacks Deployed: Routing-based attacks, man-in-the-middle attacks, proxy server attacks, firewall bypassing, DNS footprinting, SSH attacks, open port scanning, network fuzzing.
- Expected Outcome: Information about open ports, exposed routes, and necessary reconfigurations required, among other observations.
2. Web application testing
- Area of Focus: Web applications.
- Objective: Web application penetration testing tries to identify security holes in web applications exposed to consumers, partners, and other services.
- Attacks Deployed: SQL injection, exploits for unencrypted network traffic, cross-site scripting, MAC spoofing, web cache poisoning, password cracking.
- Expected Outcome: Listing security issues in prominent areas such as the company website or portal, payment gateways, content management systems, CRM software, etc.
3. Physical penetration testing
- Area of Focus: Physical access cards and tokens required to access devices and intel.
- Objective: Physical penetration testing aims to test the organization’s physical security.
- Attacks Deployed: Bypassing restricted entry zones, procuring access cards and authentication key fobs, dumpster diving.
- Expected Outcome: Find security holes in existing infrastructure and business policies wrt access cards, portable hardware, and intel disposal.
4. Mobile application testing
- Area of Focus: Mobile applications.
- Objective: The purpose is to spot vulnerabilities in application binaries running on mobile devices.
- Attacks Deployed: Reverse engineering by source code and metadata extraction, exploit cross-platform development issues, device hygiene, and authentication issues.
- Expected Outcome: Report security gaps in coding frameworks and client-side patch management, among others.
5. Cloud penetration testing
- Area of Focus: Cloud environments that are maintained in-house or by third-party service providers like AWS.
- Objective: Cloud penetration testing scrutinizes cloud-specific controls such as configuration, security, and data policies. Cloud pen testing is always done with strict guidelines from the cloud service provider. It is additional testing on top of the cloud vendor’s security commitments.
- Attacks Deployed: Exploit misconfigurations (especially in CDNs), vulnerable cloud accounts, outdated software, etc.
There are certain types of attacks prohibited by cloud vendors. For example, AWS and Microsoft Azure do not allow Distributed denial of service (DDoS) to scrutinize cloud-specific controls such as configuration, security, and data policies. Google Cloud Platform does not allow distributed trojans.
- Expected Outcome: A complete picture of security holes in each cloud component, with information on what action needs to be taken by the company, the cloud provider, or both.
6. Social engineering testing
- Area of Focus: Human errors.
- Objective: The objective is to manipulate human psychology into revealing critical information and user credentials.Â
- Attacks Deployed: Phishing, tailgating, bluesnarfing, dumpster diving.
- Expected Outcome: Recommendations of required employee training and business policy changes.
7. Network device testing
- Area of Focus: Embedded devices (IoT) and mobile devices connecting to the company network.
- Objective: Network device penetration testing pokes at different hardware that connect to the organization’s network.
- Attacks Deployed: Eavesdropping, privilege escalation attacks, man-in-the-middle attacks, firmware hijacking, and exploiting unpatched devices.
- Expected Outcome: This type of testing focuses on existing embedded devices and devices connected remotely to the system. Recommendations may vary from patch management policy changes to discarding specific firmware altogether.
8. DevOps testing
- Area of Focus: CI/CD pipelines and containers.
- Objective: It aims to look for vulnerabilities in DevSecOps processes and tools.
- Attacks Deployed: Exploit misconfiguration of containers like Docker, static code scanning.
- Expected Outcome: Mostly automated reports on problematic code, misconfigurations, and inappropriate loads.
9. Interface testing
- Area of Focus: Application programming interfaces (APIs).
- Objective: API penetration testing exploits communication using APIs and gains access to the database and server-side caches.
- Attacks Deployed: Exploit broken object-level authorization, spot excessive data exposure, and look for configuration problems such as rate limiting.
- Expected Outcome: Listing API vulnerabilities that can be used to exploit data in transit.
Penetration testing is a huge undertaking involving the entire infrastructure and numerous stakeholders across the organization. Every pen testing project can be broken down into six stages, according to the Penetration testing execution standard (PTES). PTES is a baseline standard created by a team of security consultants and analysts.Â
Stage 1: Scoping
The first stage of the penetration testing process is to nail down precisely what the scope of the activity will be.Â
Creating a scope requires inputs from three sets of people. High-level executives and stakeholders decide on how much impact the business can take, along with budgeting inputs. Technical and security personnel educate testers on the â€˜technical boundaries’ â€“ which assets are to be covered and how they are connected. Penetration testers learn how to leverage this information to develop the best pen test strategies.
This stage also encompasses the pre-engagement interactions. Before deciding on the pen testing team, organizations must ensure they’re qualified and can work with their existing infrastructure.Â
The output of this phase is a document that contains:
- Pen test team details
- Technical and business points of contact from within the organization
- Assets and systems to be analyzed
- Pen test methods to be used
- High-level use cases
- Compliance requirements to be managed
- Duration of testing
Stage 2: Reconnaissance
Also known as â€˜intelligence gathering’, this stage involves testers looking for publicly available information. This information, along with the information provided by the organization, provides a starting point for evaluating the organization’s attack surface.
The information collected during this stage are:
- Physical information, such as building address, type of building, security personnel, etc.
- Products and services offered by the organization
- Organizational chart and details of top-level executives
- Network providers, service providers such as AWS and Google Workspace, etc.
External footprinting refers to gathering information about the organization from third parties by direct interaction. Internal footprinting relates to data collected from people within the system, like employees.
By the end of this stage, testers will have a good idea of the infrastructure and a high-level view of possible vulnerabilities.Â
Stage 3: Vulnerability assessment
Armed with information collected during reconnaissance, testers create a list of assets and services that one can exploit. A threat model is designed with a ranked list of potential threats or an attack tree.
This is done by scanning the appropriate components of the system. Active testing involves using tools like app scanners to smoke out vulnerabilities. Passive testing involves network monitoring within the system, waiting for abnormal activity.
Vulnerability assessment has two steps â€“ identification and validation. In some cases, especially with black box testing, the testers may have a few threats that turn out to be harmless. These are filtered out during the validation step. Validation is done by mundane things like version mapping and identifying configuration parameters.
Assessment is also done at two levels. Dynamic analysis inspects the application while it’s running. This provides a real-time view of the system while highlighting any run-time issues. Static analysis involves examining application code for holes before it starts running.
At the end of this stage, testers have a list of potential vulnerabilities, ranked by severity.
Stage 4: Exploitation
Armed with the vulnerabilities, testers attack the system using a combination of penetration testing types and tools. For example, The Social-Engineer Toolkit is a python-based suite of tools that one can use to set up malicious websites and send out fake emails. Pen testers will use this to test phishing responses among employees.
When this stage ends, testers may have succeeded in breaching the system. They have a detailed report on the nature of each discovered threat, the effort required for each attack, and the impact on infrastructure and business.
Stage 5: Maintaining access
The end goal of a pen test doesn’t stop at just entering a system. Hackers now try to maximize impact by staying within the system. Advanced persistent threats give a clearer picture of the infrastructure, allowing for more data and assets to be compromised. This is done by privilege escalation, modified data packets, and modified database queries.
Stage 6: Reporting
By this stage, pen testers now have a definite idea of the various threats and risk impacts. Typically, two reports are generated: one for the executive level, outlining the business impact, bottom line impact, and strategic roadmap. The other report provides the tech teams with detailed technical findings, test cases and fault triggers.Â
Both reports also detail incident response reports and current monitoring capabilities. A remediation roadmap is suggested.Â
Apart from reports, penetration testers may also hold a workshop to explain findings. Companies can discuss long, and short-term solutions.
Penetration testing methods are decided at the beginning of the process. The output of the entire exercise heavily relies on who is armed with what sort of information.
Three methods of pen testing, based on the scope of the tester’s knowledge, are:
- White box method: The testers are given complete knowledge and access to the organization’s systems. The transparent nature of this method ensures speedy results. Armed with comprehensive knowledge about every piece of code and hardware, vulnerabilities in the remotest corners can be smoked out.
- Black box method (or blind testing): The testers are presented with no information about the system. The pen testers possess the organization’s name and all publicly available information. This provides them with the same ground that cybercriminals tread on. It takes the longest time and requires creativity and foresight.
- Grey box method: The testers are provided with minimum access, such as a set of credentials. A basic overview of the infrastructure is provided. This establishes a solid starting point, meaning it takes less time than black box testing.
From the organization’s point of view, there are two penetration testing methods:
- Double-blind testing: During a double-blind test, the organization’s security personnel are not made aware of an ongoing penetration test. Only some employees are involved. It is double-blind because the testers also work in a black box mode of testing. Double-blind testing allows organizations to gauge their response and escalation procedures.
- Targeted testing: Testers and security personnel work closely in this method, providing real-time feedback as they go through the movements. While this takes the least time, the mutual hand-holding might result in security blind spots.
The following best practices help organizations maximize the benefits of penetration testing.
1. Hire the right people
Penetration testing requires an eclectic mix of procedure and out-of-the-box thinking. Expertise is needed at the technical and industry level. While creating a team, finding personnel certified with organizations such as CREST would be ideal. The National Cyber Security Center in the UK recommends all government bodies use penetration testers from their CHECK scheme.
2. Prepare for the pen test
Establishing scope and boundaries are just the first step of a pen test. Even before diving into the actual testing, a series of steps need to be taken:
- Get in touch with third-party service providers and vendors to get authorization for a pen test.
- Identify the staff who will actively and passively be involved.
- Stop all new development and feature releases.Â
- Finish updates and a round of patching before the test starts.
- Depending on the methodology, create user accounts and access roles for testers.
- Sometimes, a test environment may need to be created for pen testing to test attacks such as DDoS. These must be as close to the production environment as possible. One cannot touch this environment for development or testing reasons.
3. Choose the proper pen testing framework
While the different stages of penetration testing are the same at a broader level, it helps to choose a specific framework and stick to it. Other available guidelines, besides PTES, are the Information System Security Assessment Framework (ISSAF), the National Institute of Standards and Technology’s (NIST) security assessment methodology, and the Open Source Security Testing Methodology Manual (OSSTMM).
4. Build attacker profiles
Thinking like a cybercriminal is crucial to the pen testing process. A structured way of doing this is to create attacker profiles or personas beforehand. One must gather these personas based on the infrastructure, the organization’s public offerings, and the industry. Once collected, they need to be ranked and shortlisted based on motive and business impact. For instance, a cybercriminal looking to infiltrate a bank’s system may resort to phishing.
5. Document a communication plan
Penetration testing involves a lot of assets and a lot of people. Proper channels of communication need to be maintained. Regular meetings must be held to keep track and exchange findings. Designate one or more employees who are constantly available to the pen testing team in case of any incidents.
6. Include data sources and remotely accessible resources
A data center is only as secure as its data source. While it may be tempting to focus on just the database, the source of this data needs to be tested for vulnerabilities. Testers can attack interfaces and data transfer channels between these sources and the system. In the case of industries like finance, this is also part of their compliance requirements. Also, remember to add remote endpoints to the technical boundaries.Â
7. Plan for changing scope and factor in unplanned risks
Once the testing starts, pen testers may discover additional components that were unwittingly left out. Room should be made for such omissions while budgeting for money and time. In such situations, pen testers and employees can either change the scope or exclude these components because of the low-security impact.Â
A documented process must also be in place in case of unplanned incidents or issues. This should be part of the breach of code clause in the SLA. You should add both of these to the communication plan docket.
8. Ensure that a robust monitoring and logging system is in place
The whole pen testing process causes a lot of upheaval in the system. To best keep track, it is crucial to have a competent monitoring and logging solution in place.
Penetration testing works best with mutual understanding and communication between testers and the organization. It is not a one-time process. Depending on industry regulations, it might need to be done monthly or yearly. Choosing a pen testing team must be based on this frequency and the associated costs. It is important to remember that a well-executed pen test will not disrupt daily operations and only benefit the company in the long run.
MORE ON SECURITY
- OWASP Top 10 Vulnerabilities in 2022
- What Is a Firewall? Definition, Key Components, and Best Practices
- What Is Threat Modeling? Definition, Process, Examples, and Best Practices
- How Container Vulnerabilities Can Put Software Supply Chain at Risk
- What Is Unified Threat Management (UTM)? Definition, Best Practices, and Top UTM Tools for 2021