What is penetration testing?
Penetration testing, also called pen testing, is a cybersecurity practice that tests computer systems, websites, and applications for vulnerabilities open for cyber attack. Pen tests attempt to simulate an unauthorized attack to expose vulnerabilities that would allow system access. These tests can be performed automatically through security tools or manually. Penetration tests are only one component of a complete security program and its various monitoring and testing tools.
Penetration tests can happen at any point, including after the program is running to check a program or system’s overall security health. Penetration tests aim at specific targets. Before launching the simulated attacks, information on the target is gathered to identify potential entryways. The actual break-in attempts can be performed virtually or by penetrating the system. Pen tests can also expose if security policies and protocols are understood and being adhered to.
Penetration testing stages
There are 7 stages/phases of penetration testing which include:
- Information Gathering – The organization being tested provides the penetration tester with general information like scope of testing.
- Reconnaissance -collect additional details from publicly accessible sources, penetration testers can identify additional information that may have been overlooked, unknown, or not provided.
- Discovery and Scanning – Information gathered from the first 2 steps in then used to determine things like ports and services that were available for targeted hosts, or subdomains, available for web applications.
- Vulnerability Assessment -gain initial knowledge and identify any potential security weaknesses that could allow an outside attacker to gain access to the environment or technology being tested.
- Exploitation -After reviewing the results from the vulnerability assessment, the expert penetration testers will use manual techniques, human intuition, and their backgrounds to validate, attack, and exploit those vulnerabilities.
- Final Analysis and Review – This is usually a report that tells the client their systems’ weaknesses and give them suggestions to resolve those weaknesses.
- Utilize the Testing Results -organization being tested must actually use the findings from the security testing to risk rank vulnerabilities, analyze the potential impact of vulnerabilities found, determine remediation strategies, and inform decision-making moving forward.
Penetration testing methods
There are three penetration testing methods used which include:
- Black Box Testing: the pen tester is given little to no information regarding the IT infrastructure of a business. The benefit of this being it is like a real world attack were the pen tester assumes the role of an uninformed attacker.
- White Box Testing: the pen tester has full knowledge and access to the source code and environment. The main aim of the test is to conduct an in-depth security audit of a business’s systems and to provide the pen tester with as much detail as possible.
- Gray Box Testing: the pen tester has partial knowledge or access to an internal network or web application.
Types Of Penetration Testing
The different types of penetration testing can include:
- Network Services
- Web Application
- Client Side
- Social Engineering
- Physical Penetration Testing
BUSINESS LOGIC ASSESSMENTS: Finding Application Logic Vulnerabilities that an Automatic Scanner can Miss