Penetration testing (also known as pen-test or pentesting) is the practice of simulating attacks on computer services or infrastructures to evaluate their security.
Security testers act as real hackers searching for security vulnerabilities that attackers could exploit to retrieve sensitive data, delete files, disrupt services, or generally gain access to computer systems they would not normally be able to access.
In this editorial, we will delve into the characteristics for designing and executing Penetration Tests:
It is important to know what a penetration test is, as it is not equivalent to a vulnerability assessment! These two practices have different purposes and are conducted with different tools and methods.
Further information is available in our Vulnerability Assessment service
Although penetration testing may initially seem like a disorganized process aimed at accessing an infrastructure, in practice, various security aspects are methodically analyzed and then meticulously included in a report.
There are, in fact, some internationally recognized penetration testing frameworks and methodologies that focus on different security aspects and adapt to different scenarios and purposes.
An example is the OSSTMM standard for pentesting - you can read the manual for free at the link: https://www.isecom.org/OSSTMM.3.pdf
The purpose of these tests is to discover security vulnerabilities and analyze the impact that potential access could have.
A penetration test can determine how a system reacts to an attack, whether it is possible to breach a system's defenses, and what information can be obtained from the system.The CISSP® and CAPCM Prep Guide
The Phases of a Penetration Test
Pre-Engagement Interactions
The first step of any pentest, where the tester discusses directly with the client the objectives, purpose of the test, and legal aspects.
This phase is crucial to ensure the complete legality of every action performed by the team and to outline the best methodologies to act.
Open Source Intelligence Gathering
Gathering information about the client (OSINT) provides a starting point for the test.
Depending on the pentest to be conducted, OSINT Gathering techniques can be more or less orthodox. In a purely IT pentest, it usually involves online searches with specialized tools or social engineering.
Vulnerability Identification
Based on the information gathered, testers can find and evaluate potential attack vectors.
This phase usually relies on automated tools that highlight possible vulnerabilities.
Exploitation
Finally, testers can attempt attacks on the vectors found in the previous step.
Possible attacks are varied, numerous, and can involve very different technologies.
Some of these attacks may be aimed at gaining access to a system, others at exfiltrating data, and still others at causing system malfunctions. It is important to have accurately outlined the limits in step 1 to avoid misunderstandings during this phase.
Post-Exploitation
After the attack, testers must gather data for a risk analysis, i.e., assess what kind of damage they could have caused to the attacked infrastructure.
Additionally, during this phase, testers need to remove all traces of their attack, such as installed software or created accounts.
Report
Testers must provide detailed documentation regarding attack vectors, completed attacks, and risk analysis. The document must also include recommendations for the client on how to make the attacked infrastructure more secure.
Although these steps are not part of a standard, a respectable penetration tester will follow them more or less accurately, or rather, will request to adapt the workflow to the client's needs in case of specific tests.
As the use of IT means becomes increasingly central in the business world, conducting quality penetration tests becomes essential to avoid image damage or more concretely monetary losses.
Sanctions from the privacy guarantor, compromise of web-based services, or access to industrial secrets by third parties are just some of the possible consequences of a cyber attack; the scenarios in which a security breach can lead to financial losses are endless.
For this reason, conducting penetration tests should be considered an investment.
What Factors Does a Pentest Evaluate?
It is important to know that there are many types of pentests and not all focus on computer and network security.
The previously mentioned OSSTMM manual includes channels to be tested, in addition to communication and information security, also electromagnetic spectrum security and physical security.
Different types of penetration tests evaluate different aspects of an infrastructure's security. Increasingly, penetration testing is associated exclusively with the IT meaning of the term, however, "ethical hacking" testing involves testers acting as malicious hackers and therefore, depending on the target, can involve all aspects of this practice.
Although ethical hacking can be limited to the IT field, it is not uncommon to see tests that include physical radio interception tools or actual attempts to break into buildings to carry out an attack.
A practice often associated with these tests is social engineering, which is the manipulation of people to obtain information or access to critical infrastructures.
To return to the question: What factors does a pentest evaluate?
The answer heavily depends on the penetration testers you turn to and the penetration testing frameworks and methodologies they employ.
It is important to evaluate the methodology that best suits the security testing you want to achieve and therefore turn to professionals who can ensure quality testing according to the specifications you wish to adopt.
It should be specified, however, that if specific tests are needed, they can be obtained even outside the classic penetration testing methodologies. Consider, for example, penetration testing of IoT infrastructures or penetration testing of mobile applications for which no real standards have yet been developed.
Conclusions
Penetration testing encompasses various practices that can be very different from each other, it is not limited to IT and involves different methodologies to evaluate the security of networks, systems, infrastructures, and buildings.
Although there are manuals that exhaustively describe the steps to follow to conduct a penetration test, it is possible that new technologies or new types of infrastructure are not covered in the standards available at a given time. For this reason, it is important to turn to a competent penetration tester who can evaluate security according to the client's requirements, no matter how "unusual".
To proceed with a penetration test, it is advisable to:
-
Understand your testing needs
Then choose a testing methodology that suits your needs.
If a methodology proves to be incomplete or unsuitable, outline your requirements and consult with a penetration tester regarding feasibility;
-
Evaluate the methods you want to use to complete the testing;
-
Start the Pre-Engagement Interactions phase to best assess the requirements and initiate the testing.
A penetration test can allow a company to avoid cybersecurity incidents that can be costly in economic terms and can tarnish the company's reputation. For this reason, security testing should be considered an investment.
References:
The CISSP® and CAPCM Prep Guide: Platinum Edition, John Wiley & Sons, ISBN 978-0-470-00792-1
