Today we look at a crucial tool used to analyse the security of IT systems. This short penetration testing guide will advise on how to maximise your pen testing efforts.
What is it?
Penetration testing is a powerful tool used for gaining assurance in an organisation’s management processes. Testers essentially adopt the techniques of cyber-criminals before then attempting to breach some or all of a system’s security.
It can be very expensive as it provides a truly robust vulnerability assessment. A good way to view pen testing is that it is similar in fashion to an audit. You are responsible for day-to-day business processes, then an external team will examine them to ensure they are sufficient.
Ideally, a penetration test should be used to confirm the vulnerabilities in your system that you are already aware of. Of course, more experienced pen testers will often uncover previously unknown issues. However, your objective should be to maintain robust IT security efforts all year round. Typically, pen tests are carried out annually and should therefore definitely not be the sole basis of your security strategy.
Penetration testing types
These depend upon how you interpret the word ‘type’. Here we are adopting an objective-led stance:
- Testing detection and response capabilities (scenario-driven)
- Identifying vulnerabilities (scenario-driven)
- Detecting vulnerabilities in niche / bespoke systems or software
If you view ‘what’ is being tested as defining the type, you might say the following:
- Client side penetration testing (deployed to discover vulnerabilities or security weaknesses in client side applications)
- Network services (a common pen test used to uncover the most exposed vulnerabilities and security weaknesses in the network infrastructure. This includes servers, firewalls, switches, routers, printers and workstations)
- Physical penetration testing (evaluates physical barriers which might be compromised. These include locks, cameras and sensors)
- Social engineering (testers attempt to persuade or trick users into giving them sensitive information, such as a username or password)
- Web application (targets web based applications, browsers and components such as ActiveX, Plugins and Silverlight)
- Wireless (analyses wi-fi plus the connections between all devices connected to it, i.e., laptops, tablets and smartphones)
Approaches to penetration testing
There are various approaches that can be taken when pen testing, including:
- White box (the tester has full knowledge of a system plus access to source code etc.)
- Black box (the tester is given little or no information)
- Grey box (the pen tester is provided with partial knowledge or access)
The first approach generally delivers an in-depth security audit of the systems. As the pen tester is given as much detail as possible, white box tests are more thorough.
Black box pen tests are used to effectively simulate a real-world attack and can take up to 6 weeks to complete. As such, they can be very expensive – depending upon the initial scope.
Grey box tests are often carried out to evaluate software code and system architecture diagrams. As such, they are typically more focused and efficient than other tests.
A typical penetration test
Having read this penetration testing guide, you now know what a penetration test is. You have heard about some of the different types and what can be tested. You’re familiar with some of the different approaches taken, too. Let’s look at a typical test to further aid our understanding. Here we shall assume that you have internal management processes and vulnerability assessments in place.
Scoping
A representative from the penetration testing team must initially scope the test out with all the relevant risk owners. Anyone with technical knowledge of the system should also be involved. Objectives are to be set and any specifics discussed, including technical boundaries and key vulnerabilities to watch for. The pen test team will then identify how the testing should be conducted. The scoping stage is also where a current vulnerability assessment is shared and special requirements discussed. For example, out-of-hours testing may be necessary due to the nature of the business. Finally, a detailed plan of action must be drawn up and agreed upon by all parties.
Testing
During the testing phase, there are certain considerations to keep in mind:
- You should ensure that a technical point of contact is available at all times
- It is important to be aware that the scope may require changes
Reporting
A typical report should include:
- Any security issues found with a resolution for each one
- Feedback on the accuracy of the current vulnerability assessment
- Advice on making improvements
- Analysis on vulnerabilities found and the level of risk they pose the business (see below)
Severity rating
Some pen testers adopt the Common Vulnerability Scoring System (CVSS). To simplify things, many assign the following levels of severity:
- Critical
- High
- Medium
- Low
Follow up
After a penetration test has been performed, you should conduct your own assessment. You should look more closely into vulnerabilities that you were previously unaware of. Take the resolutions from the pen testers on board but by all means investigate alternatives.
We hope you found our simple penetration testing guide useful. You can find out more about our penetration testing services here. Do get in touch if you would like to book something in with our CREST-accredited team.