Penetration testing is basically looking for security holes or weaknesses in a computer network or a system.
This activity is carried out as part of a security assessment and will involve the use of various tools, techniques, and methods to identify security vulnerabilities within a network or system.
The term “penetration testing” has become almost synonymous with “white-box testing”, an informal term used for the various ways a vulnerability can be identified and is often used interchangeably with white-box security testing. Penetration testing, however, has its own nuances and is usually considered a subset of black-box testing.
Objectives and Benefits of Penetration Testing
With penetration testing, a business can find out if the security measures it has put in place are working as expected. This takes the guesswork out of the equation. The penetration tester will have to act out what an attacker would do and show that they were able to break into the critical systems they were trying to get into. Hence, it takes an ethical hacking approach.
In the most successful penetration tests, the tester can prove without a doubt that the vulnerabilities found will cause a big drop in revenue if they aren’t fixed. Think of the impact that you would have if you could prove to the client that practically anyone in the world has easy access to their most confidential information!
Penetration testing requires a higher skill level than is needed for vulnerability analysis. This generally means that the price of a penetration test will be much higher than that of a vulnerability analysis. If you are unable to penetrate the network, you will be ensuring your clientele that their systems are secure to the best of your knowledge. If you want to sleep well at night, I suggest you do everything you can to ensure your clients are safe.
How Does Penetration Testing Work?
The pentester begins with a network diagram to identify the areas of interest and potential vectors of attack. The pentester may conduct a manual assessment to identify the weaknesses or conduct an automated scan and review. When conducting an automated scan, the pentester will use a variety of web-based vulnerability scanners that perform a range of tests on your network.
For instance, one common test, open redirector, determines whether an endpoint has been configured to automatically route network traffic through an insecure HTTP proxy. A vulnerable HTTP proxy, which is typically used to monitor and mitigate traffic to external websites, allows attackers to capture the session cookies of your web browser, which could be used in further attacks.
The most common vulnerability, known as the “default gateway” issue, occurs when Internet-bound traffic is directed through a weak or non-existent proxy. A typical example is the default gateway not having a proxy listening on its public IP address, so the next-hop router simply routes traffic to the external Internet. In this case, if a user clicks on a malicious link or opens an email, the attacker can capture the session cookie or steal the cookie file for your email account.
These tests are automated, and the results may be analyzed to identify which components need remediation. A security audit typically involves a review of the configuration of servers, networks, firewalls and web browsers, which may then be targeted for a specific attack. Penetration tests are similar but take this a step further by identifying and addressing potential vulnerabilities.
Advanced Penetration Testing
Some environment will be more secure than others. You will be faced with environments that use:
• Effective patch management procedures
• Managed system configuration hardening policies
• Multi-layered DMZ’s
• Centralized security log management
• Host-based security controls
• Wireless intrusion detection or prevention systems
• Web application intrusion detection or prevention systems
Effective use of these controls significantly increases a penetration test’s difficulty level significantly. Clients need to be completely confident that these security mechanisms and procedures can protect their systems’ integrity, confidentiality, and availability. They also need to understand that, at times, the reason an attacker can compromise a system is due to configuration errors or poorly designed IT architecture.
Note that there is no such thing as a panacea in security. As penetration testers, we must look at all angles of the problem and make the client aware of anything that allows an attacker to affect their business adversely.
Advanced penetration testing goes above and beyond standard penetration testing by using the latest security research and exploitation methods. The goal should be to prove that sensitive data and systems are protected even from a targeted attack and, if that is not the case, to ensure that the client is provided with the proper instruction on what needs to be changed to make it so.
A penetration testing (pentesting) audit is a structured set of skills designed to identify various weaknesses in an organization’s technical and physical security controls. This type of audit is sometimes performed by security software developers and IT support staff, but many organizations of all sizes are now performing their own penetration tests.