Penetration testing is the process of identifying security holes in your IT infrastructure by using the same skills and tools as a hacker. In other words providing a security health check-up for your IT security.
Penetration Testing can come under a number of different terms depending upon the preference of the person or company you are speaking to. Some prefer the term “security assessment” instead of “penetration testing”, both mean exactly the same thing.
Penetration testing covers (but not by any means limited to) the following tasks:
- Port scanning identifies active services (or programs) on hosts.
- Vulnerability management identifies potential vulnerabilities on systems based on the installed software version of the operating system or applications.
- Penetration testing involves trying to take control over the systems and obtain data.
The differences between the three are easier to understand if you think of your network as a house:
Port scanning is like counting the doors and windows on the house.
- Vulnerability management is like walking around the house and listing all the doors, windows and locks that are reportedly insecure based on the vendor and model information.
- Penetration testing is like trying to break into the house by picking the weak locks and smashing a window.
Why get a penetration test?
Why should you perform a penetration test? There are a number of different reasons, some of the popular ones being:
- Prevent data breaches: Since a penetration test is a way to simulate an unauthorised attack on the network infrastructure, you can learn what systems are vulnerable to attack or that could leak information.
- Reputation: Ensure you keep a good reputation, if you ever suffer a data breach or loss of service due to an attack your company reputation will suffer.
- Check security controls: Even though most (if not every) company should have firewalls in place, penetration tests allow you to test to see whether they are working as expected. If you have a dedicated IT team, it can also test to see whether they take notice of any logs or messages that appear.
- Testing the security of new applications: Every time a new application is installed in the corporate network, whether hosted by you or a SaaS provider. It makes sense to conduct a security assessment especially if the applications handle sensitive data such as personal information.
- Compliance: Companies that handle personal or financial data will need to be compliant against standards such as PCI DSS. Part of this compliance is to undertake penetration tests.
How to conduct a Security Assessment: Typical steps
Every penetration tester and security company has a slightly different method of testing, similarly each security assessment is different depending upon the environment and goals defined.
A typical penetration test goes through these stages:
- Goal: Setting the objective of the security assessment – what to scan and attempt to access.
- Reconnaissance: Finding out as much as possible about the target company and the systems being audited. This occurs both online and offline.
- Discovery: Port or vulnerability scanning of the IP ranges in question to learn more about the environment.
- Exploitation: Using the knowledge of vulnerabilities and systems to exploit systems to gain access, either at the operating system or application level.
- Brute forcing: Testing all systems for weak passwords and gaining access if they do.
- Taking Control: Accessing data on the machine, such as passwords, password hashes, screenshots and files.
- Gathering Evidence: Collecting screenshots, passwords hashes, files as proof that the penetration tester gained access.
- Reporting: Generating a report about how the penetration tester was able to breach the network and the information they were able to access.
- Remediation: Addressing the issues that enabled the penetration tester to enter the network. This is typically not done by the penetration tester but by other resources in the IT department.
Setting the Scope of a Penetration Test
Before asking anyone to come in and attack the company network, you need to ask yourself the following question: “What are the most important assets that your company needs to protect?” If you are in retail, it may be the database that stores all of your customers’ credit card numbers. If you are a software vendor, it may be your source code. If you are a bank, it may be your online banking application.
Once the most precious assets have been identified, you can instruct the penetration testing company to try to access those key systems as a priority over any other systems. This will make the engagement much more realistic and have a greater impact.
If you are conducting a penetration test for compliance reasons, such as PCI DSS, then the goal should be to access the systems inside the PCI scope to extract cardholder data.
How to Safely Conduct Penetration Tests
In the same way that you wouldn’t let just anyone work on your company network and systems, you should ensure that the person or company carrying out the penetration test on your systems is qualified to do so. There are a number of levels of certification that can be obtained depending upon the criteria that is needed. If in doubt, ask for references from past projects.
Some companies feel the need to restrict the penetration test to development systems that mimic the production systems. This is common when the production system is unstable or the risks of running an active penetration test are very high. This method of testing has some drawbacks, the production systems will in most cases be slightly different from the development system. Whether it’s due to different patches being installed for the host or application, or firewall rule changes, these differences may be critical overall in the effectiveness of the test.