What is Penetration Testing?
Penetration testing, also known as pen testing, is an authorised attack simulation against an organisations network or applications identifying and exploiting vulnerabilities or security issues.
This article is non-technical and aims to explain pen testing, often people are told they require security testing for compliance, but do not fully understand the difference between a vulnerability assessment and a pen test.
What is Penetration Testing?
A form of security testing typically conducted against an organisations servers, and external (internet facing) infrastructure and applications. Pen testing is a manual process where a consultant simulates the role of a real attacker but instead of only focusing on one path to entry the penetration tester will use a methodical based approach using an industry-approved framework such as NIST SP 800 115 or the OWASP framework.
What is Penetration Testing Summary:
- An authorised attack
- Identifies vulnerabilities
- Identified vulnerabilities are exploited (as safely as possible)
- Attempts to raise privileges to identify if this is possible
- Uses pivoting to gain access to other machines within the organisation
- Discovered issues are chained together to manually exploit higher severity issues
Penetration Testing vs Vulnerability Assessment
A penetration test goes several steps further than a vulnerability assessment by exploiting vulnerabilities that are discovered during penetration testing. Attempting exploitation of the vulnerability confirms if the vulnerability can be exploited, confirming the existing of the vulnerability.
Post Exploitation
If an external machine or application is successfully exploited a penetration tester can perform post exploitation tasks:
Privilege Escalation
An operation system or application typically has user defined roles which are restrict the user the least amount of privileges possible to perform the required task.
Often when an application or computer is compromised a penetration tester will attempt to break out or raise their account privileges by performing local exploits or combining multiple security issues or vulnerabilities to raise the privilege level of the account the attacker controls. This process is called privilege escalation a typical example would be raising privileges from a standard user to admin on a Windows system, or exploiting a web application to access admin functionality as a standard user on a web application.
Pivoting
Pivoting is the process of using a compromised machine to gain access to other machines within the organisation. For example, if a machine is compromised it may be possible to route traffic through this machine and gain access to machines that would normally be blocked by firewalls and network segmentation.
This process helps an organisation understand how far an attacker could advance within the organisation from an externally compromised machine.
Data Ex-filtration
Proof is taken is taken but not stored by the penetration tester, this helps the organisation understand the risk of a breach. Identifying what data an attacker could obtain if the organisation were compromised.
Vulnerability Assessment and Penetration Testing (VAPT)
Manual security testing leverages industry-standard automated tools to help the tester identify common vulnerabilities or security issues. is manual with the use of industry standard commercial and open source tools to assist the testing process. Testing which uses both a vulnerability assessment and pen test methodologies are commonly refereed to as VAPT.
We hope you found this article useful and now understand a bit more about what penetration testing is, you can read more about security testing at: https://www.aptive.co.uk/penetration-testing/
