Penetration Testing Overview
Introduction
A Penetration Test (Pentest) is an organized, targeted, and authorized attack attempt to test IT infrastructure and its defenders to determine their susceptibility to IT security vulnerabilities.
A pentest aims to uncover and identify ALL vulnerabilities in the systems under investigation and improve the security for the tested systems.
Other assessments, such as a red team assessment, may be scenario-based and focus on only the vulnerabilities leveraged to reach a specific end goal (i.e., accessing the CEO's email inbox or obtaining a flag planted on a critical server).
In general, it is also a part of risk management for a company.
During a pentest, we prepare detailed documentation on the steps taken and the results achieved. However, it is the client's responsibility or the operator of their systems under investigation to rectify the vulnerabilities found.
Our role is as trusted advisors to report vulnerabilities, detailed reproduction steps, and provide appropriate remediation recommendations, but we do not go in and apply patches or make code changes, etc.
A successful pentest requires a considerable amount of organization and preparation. There must be a straightforward process model that we can follow and, at the same time, adapt to the needs of our clients, as every environment we encounter will be different and have its own nuances.
In principle, employees are not informed about the upcoming penetration tests. However, managers may decide to inform their employees about the tests. This is because employees have a right to know when they have no expectation of privacy.
Risk Management
The main goal of IT security risk management is to identify, evaluate, and mitigate any potential risks that could damage the confidentiality, integrity, and availability of an organization's information systems and data and reduce the overall risk to an acceptable level.
However, we can eliminate not every risk. There's still the nature of the inherent risk of a security breach that is present even when the organization has taken all reasonable steps to manage the risk. Therefore, some risks will remain.
Inherent risk is the level of risk that is present even when the appropriate security controls are in place. Companies can accept, transfer, avoid and mitigate risks in various ways. For example, they can purchase insurance to cover certain risks, such as natural disasters or accidents.
Vulnerability Scanning
Vulnerability analysis is a generic term that can include vulnerability or security assessments and penetration tests.
In contrast to a penetration test, vulnerability or security assessments are performed using purely automated tools. Systems are checked against known issues and security vulnerabilities by running scanning tools like Nessus, Qualys, OpenVAS, and similar.
Testing Methods
Each pentest can be performed from two different perspectives:
External Penetration Testing
Many pentests are performed from an external perspective or as an anonymous user on the Internet.
We can perform testing from our own host (hopefully using a VPN connection to avoid our ISP blocking us) or from a VPS.
Some clients will not care about stealth, while others will request that we proceed as quietly as possible and approach the target systems to avoid being banned by the firewalls and IDS/IPS systems and avoid triggering an alarm.
Internal Penetration Testing
An internal pentest is when we perform testing from within the corporate network.
This stage may be executed after successfully penetrating the corporate network via the external pentest or starting from an assumed breach scenario.
Internal pentests may also access isolated systems with no internet access whatsoever, which usually requires our physical presence at the client's facility.
Types of Penetration Testing
This type determines how much information is made available to us.
Blackbox
Minimal. Only the essential information, such as IP addresses and domains, is provided.
Greybox
Extended. In this case, we are provided with additional information, such as specific URLs, hostnames, subnets, and similar.
Whitebox
Maximum. Here everything is disclosed to us. This gives us an internal view of the entire structure, which allows us to prepare an attack using internal information. We may be given detailed configurations, admin credentials, web application source code, etc.
Red-Teaming
May include physical testing and social engineering, among other things. Can be combined with any of the above types.
Purple-Teaming
It can be combined with any of the above types. However, it focuses on working closely with the defenders.
The less information we are provided with, the longer and more complex the approach will take.
Types of Testing Environments
Another consideration is what is to be tested
It can be any of these things:
Network
Web
App
Mobile
API
Thick Clients
IoT
Cloud
Source Code
Physical Security
Employees
Hosts
Server
Security Policies
Firewalls
IDS/IPS
Last updated