In this article, we will talk in detail about what a penetration test is, tell you how it is carried out and what stages it includes. You will learn about types of penetration tests, strategies, methods and methodologies. You will also understand why the choice of a contractor directly affects the reliability of your information security system.
What is a penetration test?
A penetration test or pentest is one of the main techniques used to identify areas of a system that are vulnerable to intrusion and compromise. The testing process itself includes deliberate attacks on the system that can reveal its weakest areas, as well as security gaps. That is, a group of pentesters act as real hackers and use system vulnerabilities to gain administrative access or access to specific information.
Goals of a pen test
Typically, the goal of a penetration test is to identify the maximum number of real vulnerabilities in order to quickly close them and test the vigilance of company employees. Therefore, to implement such a voluminous task, a complex of various tools, approaches and methods is used.
Benefits of a penetration test:
- identification of shortcomings in the architecture of the system itself and methods of ensuring its security;
- identification of flaws and vulnerabilities in the security system, including small ones, which by themselves do not greatly affect security, but together or in combination can pose a real security threat.
- flexibility that allows you to simulate almost any possible hacker attack as realistically as possible.
At the same time, a penetration test can be a time-consuming and therefore costly undertaking. In addition, this procedure does not guarantee the complete security of the enterprise infrastructure, or the prevention of future vulnerabilities. It should also be taken into account that the choice of a contractor has a direct impact on the quality of the penetration test itself, and therefore on the conclusions based on which changes will be made to the information security system.
Main types of penetration testing
Network penetration test
Implemented to detect any possibility of access to the network or system. There is external and internal testing. External is to discover vulnerabilities that can be exploited via the Internet. Internal, respectively, includes a condition if hackers managed to gain a foothold in the system.
Wireless networks pentest
Pentesters test wireless networks, applications, and services, including their various components and functions. This is an important part of the penetration test as wireless networks are potentially vulnerable due to their openness. By gaining access to them, hackers can gain access to corporate resources as well as to critical areas of the infrastructure.
Web application penetration testing
This test detects security holes in websites and applications. Cross-site scripting (XSS), authentication violations, and other security issues can be detected in the process. These tests are quite difficult as there are many browsers and extensions for them.
Mobile application penetration testing
During this test, vulnerabilities are searched for in the executable files of applications that run on mobile devices, as well as in the corresponding functions from the server side. Vulnerabilities can include problems with authentication, authorization, problems with cryptography, etc.
Cloud pen testing
Because you own cloud infrastructure not as an object but as a service, pentesting cloud environments is very different from pentesting traditional on-premises environments. This test is carried out in accordance with the legal and technical recommendations of the cloud service provider. And it requires a set of special skills and experience on the part of pentesters to thoroughly study various aspects of the cloud, such as configurations, APIs, encryption, various databases, etc.
To prevent physical access, theft of equipment and information, locks, doors, cameras, sensors, fences, windows, security guards and the security system as a whole are checked. Having gained access to cameras or various sensors, attackers can bypass them or use them to their advantage. The same applies to unreliable locks, as well as the order of placement of servers and secret areas of the enterprise in the building itself, and access to them.
Approximately most of the attacks are based on social engineering. Attackers use phishing to deceive employees of the enterprise, and obtain certain information and confidential data, which they then use to access the organization’s systems. Pentesters do the same to identify those employees who need to work on the errors or receive appropriate anti-phishing training.
There are no universal tools for penetration testing. Obviously, this is explained by the fact that each pentest is unique and requires different sets of tools. However, all of them can be divided into several categories:
- Tools for reconnaissance, detection of network hosts and open ports;
- Vulnerability scanners;
- Proxy tools;
- Network exploitation tools for access to information assets;
- Post-exploitation tools to deepen interaction with the system and maintain access to it.
Penetration testing strategies
This strategy involves working with the organization’s externally visible servers or devices, including domain name servers, email servers, web servers, or firewalls. The challenge is to figure out the chances of an attacker getting inside the network, and to determine how far he can get if he gains access.
Such a pentest simulates an attack from within the system. It is not necessarily about a disgruntled employee who decided to bring harm to the company. The case is usually modeled when an employee’s account data was stolen by phishing.
A real attack is simulated when hackers have a limited amount of information. For example, penetration testing can be started when only the name of the company is known to the experts. All other information they need to get on their own. Such testing is complex and voluminous, and perfectly simulates a real hacker attack. Only experienced pentesters with the appropriate skills and equipment can perform it qualitatively. Since such a test usually requires a significant amount of time to prepare and implement, penetration testing can be quite costly.
Double blind testing
Such a test provides an assessment not only of the level of system security, but also of how the information security team will cope with a real attack and counteract it. Such a test is usually known only to the top management of the company.
In this case, pentesters work together with the information security team. In general, this can be compared to learning, since everyone knows what is happening and coordinates their actions in real time.
Penetration testing stages
In this section, we will take a detailed look at the sequence of actions during testing. Conventionally, a penetration test can be divided into several stages:
- Reconnaissance and search for targets;
- Search for vulnerabilities;
- Gaining access;
- Expansion of privileges;
- Configuration analysis;
- Analysis of the results and preparation of a report.
Reconnaissance and search for targets
This is a preparatory stage during which the collection and analysis of the most detailed information about the system and its associated security attributes is carried out. This data will be useful for attack and efficient and effective penetration testing of the system.
This stage may not be in the project if the testing is internal, or the customer gave the pentesters a list of goals that need to be checked. In the event that an external penetration test is carried out, the performers conduct Internet reconnaissance activities. The more information pentesters can get, the more effective they can be.
They usually explore:
- information resources of the company: they learn the structure of the organization, domain names, e-mail addresses, and also find out which networks are registered to the customer, which Internet providers it uses, whether the company has resources with third-level domains, etc.;
- websites of IT solution providers: to find out what these companies have managed to do for the customer company;
- social networks of the company and its employees: this point is especially carefully approached if the pentest includes elements of social engineering;
- job sites: job descriptions often describe what kind of people and what skills the company needs, including what technologies it uses.
Thus, pentesters receive a list of information about what technologies the company uses, which IT service providers it cooperates with, as well as what its employees do and live.
Search for vulnerabilities
Vulnerability scanning allows pentesters to examine the infrastructure of an enterprise and obtain preliminary information about problem areas in protection. After that, experts begin to search for vulnerabilities and study their combinations. It is worth noting here that all potential security weaknesses can only be identified after gaining access to administrative accounts. Therefore, in order to find the maximum possible number of vulnerabilities, pentesters also conduct repeated scans.
To cause serious damage, an attacker must penetrate deep into the enterprise infrastructure. To gain access to the system, pentesters use the most suitable methods in each case: through a vulnerability, SQL injection, malicious software, social engineering, by physically infiltrating the enterprise, or using other penetration testing methods and their combinations.
Expansion of privileges
Having gained access to a system, pentesters try to gain a foothold in it, and see if they can expand their influence within this system, or throughout the entire infrastructure of the enterprise.
After gaining administrative access to the system, pentesters can conduct a deep analysis of the configuration of the enterprise IT infrastructure components. To learn in detail how the whole system is arranged, study the documentation of vendors for the components of this system, find out the opinions of experts about these components, and to determine the level of its overall security.
At this stage, pentesters are looking for really dangerous vulnerabilities, and try to use them to simulate theft, change or deletion of data, transfer of funds, or simply damage to the company’s reputation.
Therefore, pentesters carry out:
- launching exploits;
- traffic interception;
- selection of passwords and parsing of password hashes;
- attempts to inject SQL code, or implement cross-site scripting (XSS);
- other actions, in accordance with the specifics of the specific infrastructure of the enterprise.
This is how pentesters identify real vulnerabilities that could potentially be exploited by attackers, and also look at what harm they could cause using these vulnerabilities.
Perhaps this is the most important stage of the pentest. When hiring people to do this job, learn all about their experience and skills. After all, the choice of the contractor will determine whether the maximum possible number of vulnerabilities will be determined, and, accordingly, whether they will be eliminated in the future.
Analysis of the results and preparation of a report
This is the final stage of the penetration test. Experts analyze the test results and combine them into a report that describes:
- vulnerabilities that were used to model harm;
- list of information accessed;
- time spent on work and the period of time during which pentesters remained unnoticed in the system;
- proposals to eliminate deficiencies and security gaps,
- as well as other information, as agreed with the customer.
In the future, the report can be used by the enterprise information security team to configure the system, expand protection, close gaps and vulnerabilities, as well as practice manipulations during real attacks, and other actions.
There are a fairly large number of methodologies, sets of rules and procedures, as well as technologies and recommendations that are used internationally during penetration testing. Methodology is a set of closely related methods, techniques, while a method is a specific path or tool. Highly qualified specialists usually have experience with a large number of methodologies and standards. For a better understanding, we will briefly review some of the methodologies below.
Pentest methodology OSSTMM
The Open Source Security Testing Methodology Manual (OSSTMM) is a largely formalized and structured methodology that governs almost every aspect of a pentest. It focuses mainly on testing computer networks. Allows you to build a clear plan and scale for assessing the level of information security. The test under this methodology will be detailed and comprehensive, and the results will be based on facts.
Information System Security Assessment Framework (ISAAF) — this methodology was developed as a standard for the internal audit of organizations. Clearly prescribes recommendations for conducting a pentest, contains a detailed description of utilities, as well as options for their use. This is one of the most complex and detailed methods, both in a theoretical and practical sense, but at the same time one of the most popular. Used to check the information security of a variety of companies.
Open Web Application Security Project (OWASP) — this methodology is focused on testing web applications, and describes in detail the pentest process itself. In fact, this is the only detailed methodology that is narrowly focused specifically on web applications. OWASP can be used both at the stage of preliminary assessment of the security of web applications, and at the stage of development of web applications to test individual information security capabilities and functions.
Penetration Testing Execution Standard (PTES) — registered as a standard only in the USA. Contains recommendations for conducting a basic penetration test for companies that have a high requirement for information security. The main advantage is the possibility of a clear and detailed definition of goals, objectives and expectations from the pentest.
Technical Guide to Information Security Testing and Assessment is a standard that was developed by one of the divisions of the National Institute of Standards and Technology (NIST). This method can be used both at the stage of a preliminary security assessment and at the stage of testing individual information security capabilities and functions.
The frequency and severity of security breaches are increasing year by year, so the importance of penetration tests cannot be overemphasized. This is one of the pillars on which the information security of enterprises rests. Therefore, it is so important to responsibly approach the choice of a contractor for this work.
If you have any questions or doubts, please note that ESKA experts are certified providers of external and internal network penetration services. Contact us right now to get detailed advice and check your system for vulnerabilities. In addition, you can also scan your website for free and get a report on its critical vulnerabilities.