What is Penetration Testing?
Penetration Testing Definition:
Penetration testing, also known as pen testing, is an authorised attack simulation against an organisations network or applications identifying and exploiting vulnerabilities or security issues.
This article is non-technical and aims to answer the question “what is penetration testing?” often people are told they require a penetration test for compliance but do not understand what a penetration test is or fully understand the difference between a vulnerability assessment and a penetration test.
What is Penetration Testing?
Penetration testing is normally conducted against an organisations servers, and external (internet facing) infrastructure and applications. Penetration testing is a manual process where a consultant simulates the role of a real attacker but instead of only focusing on one path to entry the penetration tester will use a methodical based approach using an industry-approved penetration testing framework such as NIST SP 800 115 or the OWASP framework.
What is Penetration Testing Summary:
- An authorised attack
- Identifies vulnerabilities
- Identified vulnerabilities are exploited (as safely as possible)
- Attempts to raise privileges to identify if this is possible
- Uses pivoting to gain access to other machines within the organisation
- Discovered issues are chained together to manually exploit higher severity issues
Other Names for Penetration Testing
Another point of confusion for people and organisations tasked with penetration testing procurement is the varying names and colloquial names for penetration testing. To help clarify this we have listed other names that people may search for that essentially refer to the same service below:
- What is PEN testing
- What is pentesting
- What is a pen test
- What is a penetration test
- What is a pen-testing
- What is a pen-test
- What are pen-tests
Penetration Testing vs Vulnerability Assessment
A penetration test goes several steps further than a vulnerability assessment by exploiting vulnerabilities that are discovered during penetration testing. Attempting exploitation of the vulnerability confirms if the vulnerability can be exploited, confirming the existing of the vulnerability.
What is Penetration Testing: Post Exploitation
If an external machine or application is successfully exploited a penetration tester can perform post exploitation tasks:
What is Penetration Testing: Privilege Escalation
An operation system or application typically has user defined roles which are restrict the user the least amount of privileges possible to perform the required task.
Often when an application or computer is compromised a penetration tester will attempt to break out or raise their account privileges by performing local exploits or combining multiple security issues or vulnerabilities to raise the privilege level of the account the attacker controls. This process is called privilege escalation a typical example would be raising privileges from a standard user to admin on a Windows system, or exploiting a web application to access admin functionality as a standard user on a web application.
What is Penetration Testing: Pivoting
Pivoting is the process of using a compromised machine to gain access to other machines within the organisation. For example, if a machine is compromised it may be possible to route traffic through this machine and gain access to machines that would normally be blocked by firewalls and network segmentation.
This process helps an organistation understand how far an attacker could advance within the organisation from an externally compromised machine.
What is Penetration Testing: Data Ex-filtration
Proof is taken is taken but not stored by the penetration tester, this helps the organisation understand the risk of a breach. Identifying what data an attacker could obtain if the organisation were compromised.
Vulnerability Assessment and Penetration Testing (VAPT)
Penetration testing typically leverages industry-standard automated tools to help the tester identify common vulnerabilities or security issues. is manual with the use of industry standard commercial and open source tools to assist the testing process. Testing which uses both a vulnerability assessment and penetration testing are commonly refereed to as VAPT which stands for vulnerability assessment and penetration testing.
We hope you found this article useful and now understand a bit more about what penetration testing is, you can read more about penetration testing at: https://www.aptive.co.uk/penetration-testing/