What is Penetration Testing?
Posted by Peter Bassill on 18/11/2021
What is Penetration Testing
Penetration is a mixture of science and art. Penetration testing identifies security weaknesses or holes in people, processes and systems. Pentesting helps ensure that the appropriate security measures are in place to secure data and maintain functionality. Since penetration testing is crucial for the modern business owner, we have tried to cover everything needed to learn. We've prepared this tutorial to understand the basics of Penetration Testing and know how to use it at work.
In this blog article, you'll get to know "What is Pen-Testing and why is it required? " along with its benefits and the limitations.
What is Penetration Testing?Penetration testing comes in three primary flavours (although others exist), Black, Grey and White box testing. The black-box testing approach proposes to make authorized attempts to violate a system's security and integrity, application, network or database. Grey box testing is very much the same as black-box testing but starts with more information from the client. Pentesting aims to discover and document in an actionable report the security weaknesses, vulnerabilitys and security misconfigurations that can be indentified in people, process and technology. So these can be addressed before they are compromised by criminals.
Although it has many names, "Pentesting" is the most common term used. What ever you are calling it, the goals of a penetration test is to expose weak links introduced into People, Process and Technology through vulnerabilities, misconfigurations and bad practises.
hat is a Penetration Tester?
The person running, actively engaged in a penetration test is a penetration tester or pentester. A pentester is a often a highly talented and skilled individual normally from the edge fringes of the IT industry. While there are some pentesters who wear suits and dress for business, these are by far in the minority. The same is said for hoodies. While Hollywood and TV love to portray a "hacker" as an evil entity in a hoodie, most of us pentesters are presentable in our comfy smart casual dress. Pentesters will spend upwards of 12 hours a day working on their assigned pentest and comfort is key.
The Phases of a Penetration Test
Penetration Tests are broken into a seven phases.
Reconnaissance: Collecting information from opensource and closedsource origins prior to testing starting.
Scanning and Enumeration: Identifying the potential entry points into the target system thorugh automated and manual scanning.
Gaining access: The most complicated phase of testing. Gaining access iterates through Vulnerability Analysis (defining, locating, and classifying vulnerabilities computer, network, or application.) and Exploitation (exploiting the identified vulnerabilities to compromise a system and expose it to further attacks).
Gaining a Foothold: Once access to a system is obtained, a foothold is created that can be returned to at a later time. Sometimes called a beachhead. A foothold allows for persistance.
Privilage Elevation: Gaining administrative level privilegses using local vulnerabilities and security weaknessess and misconfigurations, as well as credential harvesting.
Data Exfiltration: The exfiltration of data (actual or simulated depending on the scope of the engagement) to a staging area for analysis.
Report Writing: For the client this is the most important phase as it is the tangible output from the engegement. It should be writted to the clients level of knowledge and understanding and should be writted with care and love.
It is worth mentioning that there is an eighth phase. The eighth phase is a cyclical phase called the Pivot. The Pivot is starts at the Privilege Escalation phase and loops a cyclical process back to the Gaining Access phase. Essentially, once permissions are escalated on a compromised system, the pentest will attempt to gain access to other systems from that compromised system. This is how we walk through the clients networks.
What is Vulnerability?
A vulnerability can be anything. It is in essence a security flaw in software, hardware, people or process. It is an error that leaves a "thing" vulnerable to attack. The vulnerability could be as simple as a flaw in a checking process that allows paperwork to be handled badly, it could be a weak password or a user not knowing how to protect data when travelling.
What is an exploit?
An exploit is something that takes advantage of a vulnerability. It could be a software program or a service designed to turn a vulnerability into an opportunity to gain unauthorized entry. It could be an attacker following an employee home and monitoring their laptop in the mirrored glass of a train window at night. It is something that provides access assets that others should not have access to. Most exploits are technical and come in the form of a payload designed to penetrate the target system and grant access to an intruder.
What is a payload?
A payload is often a piece of computer code that enables an unauthorized person or system access to a something with the help of an exploit. Payloads are typically part of an exploit, and once the exploit has done its job of gaining access, the payload takes over and provides access to an unathorised user.
Why is Penetration Testing Required?
Penetration testing is cruicial for ensuring the safety and security of businesses. A pentest will verify the ability of technical systems as well as people to protect networks, applications, endpoints, and end users against threats.
Penetration testing helps in the connected world by:
- Identifying components in technical systems and processes in human systems that attackers could use to cause harm.
- Raising the knowledge level of managers and senior technical teams by working with pentesters can get to know the areas susceptible to attacks.
- Aiding in preventing criminal attacks and helping better guard information.
- Simulating malicious attacks in a controlled way so that could could occur to critical systems can be avoided.
- Helping to drive investment decisions for the enhancement of existing security controls in a risk led manner.
I hope you found this "What is Pentration Testing" article useful. If you did, please do feel free to share it on social media. It might help others too.
If you have any questions, please do reach out to either myself or my team. We are always on hand.