Penetration Testing
What is a Penetration Test?
Penetration Testing Methods
WHITE BOX TESTING
White Box testing; the client shares its IT architecture and information with the penetration tester or vendor, from network maps to credentials. This type of test commonly establishes priority assets to verify their weaknesses and flaws.
BLACK BOX TESTING
Black box testing; the client does not share any information with the penetration tester. The tester will have to identify and map the full network, its systems, the OSes, and digital assets as well as the entire digital attack surface of the company.
GREY BOX TESTING
Gray box testing; the client shares specific information with the penetration tester trying to exploit the system. Gray box tests usually attempt to simulate what an attack would be like when a hacker has obtained information to access the network. Typically, the data shared is login credentials.
Types of Penetration Tests
NETWORK TESTS
Internal and external network security tests. External tests use information that is publicly available and seek to exploit external assets an organization may hold. On the other hand, internal tests simulate attacks that come from within. Internal and external network testing is the most common type of test used. Penetration testers will try to bypass firewalls, test routers, evade intrusion detection and prevention systems (IPS/IDS), scan for ports and proxy services, and look for all types of network vulnerabilities.
SOCIAL ENGINEERING TESTS
Social engineering is a technique used by cyber criminals to trick users into giving away credentials or sensitive information. Attackers usually contact workers, targeting those with administrative or high-level access via email, calls, social media, and other approaches. While automated phishing tests can help security teams, penetration testers can go much further and use the same social engineering tools criminals use.
WEB APPLICATION TESTS
The goal of the test is to compromise the web application itself and report possible consequences of the breach. Web application tests include web apps, browsers, ActiveX, plugins, Silverlight, scriptlets, and applets. Application programming interfaces (APIs) are also part of this test, along with XML, MySQL, Oracle, and other connections and systems. If web applications are mobile, they also need to be tested in their environments.
WIRELESS NETWORKS
Wireless networks connect to endpoints, IoT devices and more. Penetration testers will verify wireless encryption protocols, check for beacons, confirm traffic, search for access points and hotspots, and MAC address spoofing. Penetration testers will try to brute force passwords and prey on misconfigurations. Penetration tests also make sure the system is safe from denial-of-service (DoS) attacks, where sites are flooded with traffic to force them to crash.
PHYSICAL AND EDGE COMPUTING TESTS
White hat hackers will test door security systems, access cards, locks, cameras, and sensors as well as attempt to impersonate personnel. They will also verify how safe devices, data centers, and edge computer networks are when an attacker can physically access them. These tests can also be executed with the full knowledge of the security team or without it.
CLOUD SECURITY TESTS
Penetration tests on the cloud require advanced notice to the cloud provider because some areas of the system may be off-limits for white hat hackers. Cloud penetration tests will examine security, applications and APIs, access, storage, encryption, virtual machines (VMs), operating systems (OSs) and updates, Secure Shell (SSH) and Remote Desktop Protocol (RDP) remote administration, and misconfigurations and passwords.
Penetration Testing Phases
A penetration test typically involves the following phases. Since different types of penetration tests have distinct purposes and scopes, a specific penetration test may focus more heavily on some of these phases or omit others.
Pre-engagement
In the pre-engagement penetration testing phase, the tester and client define the scope of the penetration test, such as what systems will be tested, what methods the tester will use, and any additional goals and legal implications.
Threat Modeling
After collecting sufficient information on the client’s system, testers then begin modeling realistic threats that the client will face before scanning for the relevant vulnerabilities in the system that those attacks would normally target.
Post-exploitation
Once the testing time has run out or all relevant systems have been exploited, all testing methods and vulnerabilities—including associated devices, ports, or personnel—are recorded.
Re-testing
After the client has had time to resolve the vulnerability issues outlined in the initial report, the tester can return to run the same penetration tests on the client’s system to verify that the vulnerabilities have been resolved. This phase is not as common but may be requested by the client.
Reconnaisance
Reconnaissance requires the tester to collect as much information on the testing subject as possible, including personnel, technology, and systems information.
Exploitation
All identified vulnerabilities are exploited at this stage in accordance with the scope outlined in the pre-engagement phase.
Reporting
The tester generates a penetration testing report for the client that describes the methods that were used, what vulnerabilities were exploited, what remedial actions should be undertaken, and any other relevant information.