Knowing your security weaknesses and vulnerabilities is vital. Penetration tests are an effective way to identify vulnerabilities that attackers may exploit to breach your system, network, or applications and steal valuable information.
A penetration test – also called a “pentest” – is the process of ethical hackers mounting planned attacks against a company’s computer system, network, or applications. This is done to identify vulnerabilities that need to be addressed. Penetration tests may be done by penetration testers employed in the organization or external firms hired to conduct the tests. Various regulatory frameworks – such as PCI DSS v3.0 – mandate penetration tests be conducted on a periodic basis to maintain compliance.
Network penetration tests are the most common type of penetration test. They aim to identify vulnerabilities on your network, such as misconfigurated firewalls. Attackers that manage to penetrate your network will move laterally within your organization to escalate their privileges until they have the credentials to achieve their goal. A network penetration test will identify likely attack vectors so you may defend against them.
This type of pen test identifies vulnerabilities in applications that may present attackers with a vector to steal sensitive information. Common application vulnerabilities include SQL Injection and Cross Site Request Forgery (CSRF). One of the most common use cases for application penetration testing is to augment the Web Application Firewall (WAF). By understanding the vulnerabilities of your applications, you can you create defense in depth that augments your other security controls.. In addition to utilizing penetration tests to protect your organization’s data, it is a good idea for software companies to test the applications with which their users interface to ensure they effectively protect their users’ data as if it were their own.
Also known as physical intrusion testing, this type of penetration test identifies opportunities to compromise the physical barriers of your company, including sensors, cameras, and locks. The goal of a physical penetration test is to identify weaknesses in your physical security controls. This is often done at important locations such as data centers, substations, or offices. Identifying these weaknesses and taking appropriate actions to remediate them will prevent unauthorized individuals from entering your premises and compromising assets.
This type of penetration test identifies hardware or software vulnerabilities in connected devices that are not covered in a standard network penetration test, including products your company sells. Common weaknesses in devices include unencrypted data at rest or use of insecure protocols – especially those that transfer unencrypted data. These tests will illuminate vulnerabilities you may then defend against to limit the number of vectors from connected devices.
Information gathering is the planning stage of a penetration test. It involves the research and reconnaissance of the target. Preliminary research is done to identify vectors for an attack. Information gathering builds the foundation for the penetration test. It provides the testers with information about the environment so they may begin to develop a blueprint for the attack.
Threat modeling is the process of pairing what is known about the environment with likely motivations and techniques of threat actors. The resulting stories provide a framework by which the penetration testing team can model their activities in order to be representative of an actual threat actor.
Vulnerability analysis is the process of discovering vulnerabilities in the target assets using various tools. Vulnerability and network scanners are commonly used to perform initial vulnerability detection for manual analysis by the testers. More extensive background research may be warranted, especially for physical and IoT penetration tests. The outcome of this step is to solidify the attack vector by determining the specific vulnerabilities to exploit.
This is the most important step in penetration testing. Exploitation is the actual simulation of a real attack on the network to document and exploit vulnerabilities. This is done to not only demonstrate ways in which defenses might be defeated, but also to examine the consequences of such an attack. Understanding the implications of a breach is vital information when it comes to determining where to allocate resources.
Post-Exploitation is the period in which the attackers move laterally in the environment to find, collect and exfiltrate the data they desire. Generally this phase also entails covering their tracks through the manipulation of log data. Additionally, the attackers will seek to install mechanisms to achieve “persistence,” or the ability to easily restore their access to the network if one method of access is cut off.
Reporting is the final stage of penetration testing. This involves outlining the findings of the penetration test and providing workable suggestions for fixing the vulnerabilities. The goal is to clearly present findings that should be remediated. An effective report will tell the story of the penetration test so those responsible for remediating findings understand what needs to be fixed, how to do so, and why it’s important.
Cyber security is an ever-evolving landscape. Its evolution includes the tactics and techniques attackers use to breach defenses. Not only that, but nation-state and criminal hackers are more motivated than ever to exploit weaknesses. Your defenses must also evolve if you wish to successfully thwart attacks. Penetration tests are the key to understanding the ways in which your security program must evolve. In conclusion, there are 4 key benefits to conducting penetration tests: