How does the pen testing world do penetration testing : Part-1
When I joined Appsecco, one of the things I wanted to improve was doing penetration testing. While I have been fairly successful in bug bounties, I realised that I needed some sort of structured training and mentorship to be confident of my skills.
My colleagues(Akash Mahajan & Riyaz Walikar), suggested that I put the things I have learnt in a document which would help folks like me who are interested in learning penetration testing in a structured manner. This series of posts is my attempt at documenting while learning.
Please do give feedback and also share your stories of how you started doing pen testing with me
Penetration testing (also known as pen testing) is the way that companies and organisations simulate attacks like real intruders on their infrastructure, systems and people. Many organisations follow different methodologies to carry out penetration testing.
This post is about how companies large and small typically do pen testing, what standards they follow and software used to conduct pen testing. We will also look at what kind of networking resources are required.
Definitions of penetration testing according to multiple international standards
As per Wikipedia:
A penetration test, informally pen test, is an attack on a computer system that looks for security weaknesses, potentially gaining access to the computer’s features and data.
As per Open Web Application Security Project (OWASP):
penetration testing has been a common technique used to test network security for many years. It is also commonly known as black box testing or ethical hacking. Penetration testing is essentially the art of testing a running application remotely, without knowing the inner workings of the application itself, to find security vulnerabilities.
As per Core Security:
a penetration test, or pen test, is an attempt to evaluate the security of IT infrastructure by safely trying to exploit vulnerabilities. These vulnerabilities may exist in the operating system, services, in application flaws, improper configurations, or risky end-user behaviour. Such assessments are also useful in validating the efficacy of defensive mechanisms, as well as, end-user adherence to security policies.
As per the popular website penetration testing tools:
penetration testing can be described as a legal and authorised attempt to locate and successfully and efficiently exploit computer systems for the purpose of understanding how to make those systems more secure and protected.
What is the difference between Penetration Testing & Vulnerability Assessment?
You may hear these both terms commonly in the security world it is important to understand the difference between them.
A vulnerability assessment is limited to identifying the vulnerabilities in the system using automated and manual processes and reporting on them without trying to exploit the vulnerability. On the other hand, a penetration test typically continues until you gain the system access (or run out of ways to try) and to achieve the objective of the penetration test e.g. getting access to the domain controller or sensitive information such as credit card data, etc.
A vulnerability assessment is to validate the vulnerabilities existing in the environment by using automated tools and then providing suggestions for mitigation to protect all it uncovers. Whereas a pen test is used to check an organisations security threats in from an attacker’s perspective.
In my opinion this is more helpful as security teams in the organisations may not look at all vulnerabilities as external pen testers. In some cases, pen testers can make use of techniques like social engineering to exploit operational security issues in the organisation too.
An excellent resource to understand the difference is this blog post from Daniel Miessler
Should we get penetration testing done?
I may seem biased about this answer since I work for a company offering security testing services, but let me make a case for this.
There are multiple reasons to conduct a penetration test. The main reason is often to find vulnerabilities and fix them before attackers do. It can be used to identify the security risks of organisations by exploiting the weakness of the systems and controls. It will also help to test the defensive security mechanisms of an organisation, which includes IDS, IPS, Firewalls, etc.
It also better to verify things using ‘external eyes’ looking into infrastructure and systems security in order to fill the gaps of current organisational security posture. The another main reason behind to do penetration testing is that Payment Card Industries, Health Care, compliance and regulatory bodies require penetration testing on regular schedules.
Is penetration testing done once or regularly?
It’s important to do penetration testing regularly on a scheduled basis which helps the organisation to adhere to things like PCI compliance and regulations. Some other important cases where penetration testing is required is while you are acquiring new companies and merging their systems with your own, when integrating new applications and services generally, adding the new infrastructure or applications into the network and when releasing some updates or new features to applications and systems.
One of the main reasons to do scheduled tests is to create an application and infrastructure security base line which can provide more insight.
In my next post I will try to cover
- What are the activities as a part of penetration testing
- Different methodologies in penetration testing
Here is the part-2 of this post, which includes more methodologies and sample report format of real-world penetration testing.
