What is Penetration testing?


It’s no secret that technology is advancing at a rapid pace. In today’s society technology has become an essential part of our daily lives. Part of this means that cybersecurity is also becoming a more crucial element in the modern environment. Now, there are many aspects of cybersecurity. Penetration testing, or pen testing, is one of them.

So what’s penetration testing?

Penetration testing is the process where a cybersecurity expert searches and exploits a system’s vulnerabilities. This procedure is an authorized simulated cyberattack. In other words, it is performed in a simulated environment with the authority of the system owner.

One might think that it would make sense to have the developers perform penetration testing themselves. While it’s not unnatural to go this route, oftentimes developers may miss certain blind spots and leave vulnerabilities exposed. Of course, that’s not to say vulnerabilities in a system are always through the developers. There are several reasons that a system can contain vulnerabilities. Regardless, it’s always recommended that an expert on the subject perform penetration testing.

There is more than one way to do penetration testing

There are some Operating Systems that enable penetration testing capabilities. Systems such as Kali Linux, BlackArch and BackBox come with preconfigured tools for pen tests. With regard to penetration testing itself, there are different types of pen tests.

White box pen tests

This is where the tester is provided certain information with regards to the target company’s system, before the actual test itself. This information can range from network configurations, passwords, to source codes.

One of the benefits of white-box testing is that it tends to be more thorough than the other methods (which we will get to). Since certain information about the system is known beforehand, this allows the test to expand into areas in the system that may not be possible otherwise. For example, assessing the quality of the code.

But, this type of testing can sometimes be unrealistic to an actual attack. Why? Because a real attacker may approach a system’s vulnerabilities different to that of a tester. The tester already owns information about the system before conducting the penetration test.

Black box pen test

This is the opposite of white-box testing. Here, no background information about the target system is given. Hence, this method is quicker to execute as it depends on the tester’s skill and know-how on exploiting vulnerabilities.

Since this approach takes the perspective of an uninformed attacker, there’s a downside of certain parts of the system going untested. This wouldn’t be the case of white box pen-testing.

There is also a form of mixed white box testing and black-box testing. This is called grey box penetration testing. This is where only partial information is provided by the target company. The idea is that the tester is simulating an environment where an attacker has illegitimately obtained certain information of the company.

Covert pen test

This is like black box pen tests, with one small but significant difference. The target company has no knowledge of the penetration test. This includes the IT department as well. Yet, one important thing to note here is that all relevant details about the test should be available in writing before the test. Thereby, avoiding any potential legal ramifications with this approach.

Internal and external pen test

As the term implies, an internal pen test carries out the test within the company’s internal network. This determines the extent of damage that could be done exploiting vulnerabilities while limited to the company’s firewall.

External pen test occurs outside the company’s internal network, both literally and figuratively. This would assess the external assets of the company for any vulnerabilities.

Manual and automated penetration testing

Of course, another way of looking at penetration testing is manual testing and automated testing. Manual testing requires expert professionals to run the test. Automated testing allows for less experienced testers to perform pen tests via automated tools. Another variation is that automated testing has centralized and standard tools. Manual testing requires programs like Excel and other related tools to keep track of the entire process.

The penetration testing process

Regardless of the type of penetration test, they all go through the same stages. The first is called reconnaissance. This is where all possible information about the target system is gathered. Next comes the scanning phase. Here, all the available technical tools and methodologies are utilized to expand the initial findings from the previous stage.

The third stage is all about gaining access. The combined findings of the first 2 stages are used to exploit the vulnerabilities of the system. The operation is done by using what is called a “payload”. Simply put, a payload can be anything from altering data, logging keystrokes to installing adware. Tools such as Metasploit allows for automated attacks on known vulnerabilities.

Once access is gained, the next stage would be to maintain the gained access. This is important as it helps the tester to obtain as much data as possible. At this phase, the process may not necessarily be limited to software. It can also extend to hardware as well. For example, it could be a small device that could be fixed into a network that would enable the tester to gain remote access to a particular network.

Finally, the tester must be able to cover his/her tracks once the “maintaining access” phase of the process is complete. The pen test would be successful as long as the tester succeeds in remaining anonymous.

What happens after a pen test?

The post-testing phase is perhaps the most vital component of the process. All the intense testing in the world would mean nothing if preventive measures aren’t taken. Thereby, once complete, the tester would share findings with the target company. Based on this information, the relevant actions will be taken. This could be as basic as setting necessary company standards at a policy level. It could also be as specific as protecting the company network from automated brute force attacks and DDoS attacks. Either way, what’s important is to discover vulnerabilities and patch them. Thus, keeping the security of the tested system up to date.

Cybersecurity is no longer an optional choice in today’s business environment. It’s in fact, a core part of a business strategy today. Penetration testing is one of the many mechanisms that allow an organization to strengthen its existing technological infrastructure. Countries like the U.S. and the U. K. have already standardized penetration tests. This is either via independent government bodies or professional bodies.