Get to Know Penetration Testing
Learning Objectives
After completing this unit, you’ll be able to:
- Define penetration testing terms.
- Explain the purpose of penetration testing.
- List the phases of penetration testing.
- Identify the different approaches to penetration testing.
Before diving into penetration testing, you should have a basic understanding of vulnerability scanning, common vulnerabilities, and security testing. We recommend that you first complete the Get Started with Vulnerability Assessment trail before you begin this module.
Penetration Testing Glossary
As a penetration tester, you are responsible for stamping out security weaknesses in an organization’s systems. Let’s take a look at some terminology before we dig deeper.
| Term | Definition |
|---|---|
|
Penetration testing |
A method of security testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security controls of an application, system, or network |
|
Network discovery |
The process of discovering active hosts on a network, identifying weaknesses, and learning how the network is designed |
|
Port scanner |
A program that can remotely determine which ports on a system are open, and whether systems allow connections through those ports |
|
Rules of engagement (ROE) |
The detailed guidelines and constraints regarding the execution of penetration testing |
|
Target |
An application, business process, IT infrastructure, environment, or system that the tester attempts to penetrate |
|
Vulnerability |
A weakness in automated systems’ security procedures, administrative controls, internet controls, and so on, that a threat could exploit |
|
Exploit |
A piece of code the penetration tester uses to take advantage of a vulnerability in the target system |
|
Enumeration |
The process a penetration tester uses to query specific systems to gather as much information as possible about entry points that are either verified or disproved during the exploitation phase |
|
Attack vector |
A path or means by which an attacker can gain access to a computer or network server in order to deliver a payload |
|
Payload |
A component of the attack which the penetration tester uses to cause harm to the victim, in order to compromise the confidentiality, integrity, or availability of the system |
|
Shell |
A piece of code or a script running on a server that enables running commands on the system |
Goals and Benefits of Penetration Testing
As a penetration tester, you’re responsible for being an expert in real-world threats, attack paths, and vulnerabilities. You assess an organization’s resilience to real-world attacks and produce reports that help the organization better protect itself. Penetration testing is a great tool to help organizations secure their infrastructure, networks, applications, systems, and data.
Penetration testing can also help organizations better understand where to focus their limited time and resources in mitigating threats. For example, an organization could be trying to decide whether to make a security investment to increase staff for the organization’s security operations center, or to implement two-factor authentication for all network logins.
Pinpointing where the most critical vulnerabilities lie, through penetration testing, can help organizations make better and more informed decisions. Penetration testing can help paint a picture of holistic cyber risk by pointing out how a weakness in one business system can lead to a breach in other connected technologies.
Penetration Testing Phases
In conducting penetration testing, you typically follow four phases.
| Phase | Definition |
|---|---|
|
Plan |
Covers all preengagement activities in preparation for an upcoming penetration test |
|
Discover |
Begins testing and involves information gathering and scanning for vulnerabilities |
|
Attack |
Verifies previously identified vulnerabilities through exploitation |
|
Report |
Occurs simultaneously with other phases for evidence collection, and consists of documenting the ROEs, steps taken during the test, and the results |
Types of Penetration Testers
In general, there are three types of penetration testers. We review each type but spend most of our time focused on the ethical hacker.
Malicious Hacker
Erika is a malicious hacker targeting a stock trading and investment application. She attempts to gain unauthorized entry into the application to exploit it for malicious reasons. She does not have permission or authority to perform these actions. She tries to inflict damage by compromising the security systems that monitor the application, altering the function of the application, or shutting down the application entirely. She does so to steal or gain access to passwords, financial information, and other personal data.
Gray Hat
As in life, there are gray areas. Gray hat hackers are a blend of both malicious hacker and ethical hacker activities. Often, gray hat hackers look for vulnerabilities in a system without the owner’s permission or knowledge. If issues are found, they report them to the owner, sometimes requesting a small fee to fix the issue. If the owner does not respond or comply, then sometimes the hackers post the newly found exploit online for the world to see.
Derek is a gray hat hacker targeting a cybersecurity company. He’s decided to target this company because it was a source of a breach in the past, and he wants to test how well the company is now protecting its customers, as part of his own research. He tries to exploit the company’s systems in a similar way that Erika does, but does so without any malicious intent. Derek discloses any loopholes and vulnerabilities he finds to the company. Derek likes to surf the net and hack into computer systems to notify the owners that their system contains one or more vulnerabilities that must be fixed immediately.
Ethical Hacker
Melonia is an ethical hacker, who works with a nonprofit organization to strengthen the security of their systems. She has permission to engage with the organization’s systems and to compromise them within the prescribed ROEs. Melonia specializes in penetration testing tools, techniques, and methodologies, and enjoys helping to secure the organization's information systems. She exploits the organization’s network and systems, and looks for vulnerabilities and ways to exploit them, but only when she is legally permitted to do so. She always discloses each vulnerability she finds.
Penetration Test Style
There are three different styles you can use to conduct a penetration test: black box, gray box, and white box. Let’s cover these in more detail.
Black Box
In a black box test, you conduct the assessment with no prior knowledge of the target environment. You may have high-level data such as the company or organization’s name, but no other relevant information. In this type of test, you do not perform any code examination in internal environments. A black-box penetration test determines the vulnerabilities in a system that are exploitable from outside the network.
Gray Box
In a gray box penetration test, also known as a translucent box test, you have only limited information about the target. Usually this takes the form of login credentials. Gray box testing is useful to help understand the level of access a privileged user could gain and the potential damage they could cause.
White Box
In a white box test, you have full knowledge of the target environment, including the systems, networks, operating systems, IP addresses, source code, and more. Having this knowledge reduces the cost and time of the test, as you don’t need to involve any reconnaissance to ascertain target information. This type of test is a simulation of an internal attack. The purpose of white box testing is to identify potential weaknesses in various areas such as logical vulnerabilities, potential security exposures, security misconfigurations, poorly written development code, and lack-of-defensive measures.
Penetration Testing Methodologies
As a penetration tester, you should be familiar with the different methodologies you can use to perform penetration tests. Let’s take a closer look.
Penetration Testing Execution Standard (PTES)
A team of information security practitioners developed this penetration testing method with the aim of addressing the need for a complete and up-to-date standard in penetration testing. In addition to guiding security professionals, it also attempts to inform businesses about what they should expect from a penetration test and guides them in scoping and negotiating successful projects. The process includes preengagement interactions, intelligence gathering, and threat modeling.
Open-Source Security Testing Methodology Manual (OSSTMM)
This is a complete methodology for the testing, analysis, and measurement of operational security toward building the best possible security defenses. It’s a peer-reviewed methodology for security testing, maintained by the Institute for Security and Open Methodologies (ISECOM). It provides guidance on how to test the operational security of five channels (Human Security, Physical Security, Wireless Communications, Telecommunications, and Data Networks) so that organizations can understand the full extent of their security and determine how well their security processes actually function.
Information System Security Assessment Framework (ISSAF)
This is a structured and specialized approach to penetration testing that enables a tester to meticulously plan and document every step of the penetration testing procedure, from planning and assessment to reporting and destroying artifacts. For each vulnerable area of your system, ISSAF offers some complementary information, various vectors of attack, as well as possible results when the penetration tester exploits the vulnerability.
These are just a few examples of methodologies to keep in mind. Others include the National Institute of Standards and Technologies (NIST) guidelines and the Open Web Application Security Project (OWASP) methodology.
Sum It Up
Now you understand more about penetration testing terms, goals, and methodologies. In the next unit, you learn more about the responsibilities and qualifications of a penetration tester, and discover the skills that help penetration testers succeed.
Resources
- External Site: NIST: Penetration Testing
- External Site: Penetration Testing Execution Standard
- PDF: NIST: Technical Guide to Information Security Testing and Assessment
- External Site: Medium: Penetration Testing — All The Terms You Need To Know
- PDF: CREST International: A guide for running an effective Penetration Testing programme
- External Site: Infosec Institute: Penetration Testing Benefits
- PDF: SANS Institute: Conducting a Penetration Test on an Organization
- PDF: ISECOM: The Open Source Security Testing Methodology Manual
