Get to Know Penetration Testing
Learning Objectives
After completing this unit, you’ll be able to:
- Define penetration testing terms.
- Explain the purpose of penetration testing.
- List the phases of penetration testing.
- Identify the different approaches to penetration testing.
Before diving into penetration testing, you should have a basic understanding of vulnerability scanning, common vulnerabilities, and security testing. We recommend that you first complete the Get Started with Vulnerability Assessment trail before you begin this module.
Penetration Testing Glossary
As a penetration tester, you are responsible for testing, identifying and recommending mitigations for security weaknesses in an organization’s digital systems. Let’s take a look at some terminology before we dig deeper.
| Term | Definition |
|---|---|
|
Penetration testing |
A simulated cyber-attack against computer systems to identify exploitable vulnerabilities |
|
Network discovery |
Identifying active hosts on a network, and understanding the network's design and weaknesses |
|
Port scanner |
A tool used to identify open ports on a system and determine if systems allow connections through those ports |
|
Rules of engagement (ROE) |
The detailed guidelines and constraints regarding the execution of penetration testing within legal and ethical boundaries |
|
Target |
An application, business process, IT infrastructure, environment, or system that the tester attempts to penetrate |
|
Vulnerability |
A security gap in automated systems’ security procedures, administrative controls, internet controls, and so on, that can be exploited |
|
Exploit |
A piece of code or a tool used to take advantage of a vulnerability in the target system |
|
Enumeration |
Actively connecting to systems to gather detailed information about entry points |
|
Attack vector |
A path or method used to gain access to a system or network |
|
Payload |
Data used to carry out a malicious act on a system or network (e.g., executable file, malware, script, exploit code) |
|
Shell |
A piece of code or a script that enables command execution on a target system |
Goals and Benefits of Penetration Testing
As a penetration tester, you’re responsible for being an expert in real-world threats, attack paths, and vulnerabilities. You assess an organization’s resilience to real-world attacks and produce reports that help the organization better protect itself. Penetration testing is an invaluable tool to help organizations secure their infrastructure, networks, applications, systems, and data, but also for ensuring compliance with various regulations and standards such as General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry Data Security Standard (PCI-DSS). This compliance aspect is critical as it helps organizations meet legal obligations and avoid hefty penalties.
Penetration testing can also help organizations better understand where to focus their limited time and resources in mitigating threats. For example, an organization deliberating between increasing staff for the organization’s security operations center, or implementing two-factor authentication for all network logins can make a more informed decision based on the insights gained from penetration tests.
These tests pinpoint the most critical system and network vulnerabilities enabling organizations to prioritize their security efforts. Penetration testing can help paint a picture of holistic cyber risk by pointing out how a weakness in one business system can lead to a breach in other connected technologies.
Penetration Testing Phases
In conducting penetration testing, you typically follow five phases.
| Phase | Definition | Example Activity | Example Tools |
|---|---|---|---|
| Permission | Ensures explicit authorization to test from the network and/or system owner before commencing any penetration testing activities | Signing a contract or agreement that clearly authorizes the test and defines its scope, boundaries, and limitations | Contract management tools to ensure clear documentation of communication and agreements |
|
Plan |
Involves defining the scope and goals of the test, including the systems to be tested and the testing methods to be used |
Identifying specific systems within the agreed scope and gathering publicly available information about them | WHOIS, nslookup for domain information and Google Dorks for advanced search queries |
|
Discover |
Involves gathering information to identify vulnerable hosts, ports, and network services |
Running port and vulnerability scans on the identified systems | Nmap for network mapping, Nessus or OpenVAS for vulnerability scanning |
|
Gain Access |
Involves exploiting vulnerabilities within the agreed scope to gain access to the system or network, simulating an attacker’s actions |
Exploiting a known vulnerability to access a network | Metasploit for exploiting vulnerabilities |
|
Report |
Occurs simultaneously with other phases for evidence collection, and consists of documenting the ROEs, steps taken during the test, results, and recommended risk responses (e.g., mitigate, avoid, transfer, accept) |
Preparing a comprehensive report detailing the findings and recommendations | DRADIS framework for pentesting collaboration and reporting |
Penetration Test Styles
Penetration testing is strictly governed by legal and ethical standards. Unlike the illegal and unethical hacking activities conducted by malicious or black hat hackers penetration testing must always be authorized by the system or network owner. Any unauthorized testing, even if not intended for harm, can be considered illegal under laws such as the Computer Fraud and Abuse Act (CFAA) in the United States.
Here's an overview of types of penetration testing:
Black Box
In a black box test, you conduct the assessment with no prior knowledge of the target environment. You may have high-level data such as the company or organization’s name, but no other relevant information.
Advantage: Helps the business understand what vulnerabilities are exposed to an external attacker and assess the effectiveness of the organization’s external defenses.
Gray Box
In a gray box penetration test, also known as a translucent box test, you have only limited information about the target. It includes both external and internal aspects of the system but with some inside knowledge like architectural diagrams or login credentials.
Advantage: Provides a balanced view of security from an external and internal perspective. It’s useful for assessing how far an attacker can penetrate with limited knowledge.
White Box
In a white box test, you have full knowledge of the target environment, including the systems, networks, operating systems, IP addresses and source code. Having this knowledge reduces the cost and time of the test, as you don’t need to involve any reconnaissance to ascertain target information. This type of test is a simulation of an internal attack.
Advantage: Identifies hidden vulnerabilities that require internal knowledge to exploit.
Penetration Testing Methodologies
As a penetration tester, you should be familiar with the different methodologies you can use to perform penetration tests. Let’s take a closer look.
Penetration Testing Execution Standard (PTES)
A team of information security practitioners developed this penetration testing method with the aim of addressing the need for a complete and up-to-date standard in penetration testing. In addition to guiding security professionals, it also attempts to inform businesses about what they should expect from a penetration test and guides them in scoping and negotiating successful projects. The process includes preengagement interactions, intelligence gathering, and threat modeling.
Open-Source Security Testing Methodology Manual (OSSTMM)
This is a complete methodology for the testing, analysis, and measurement of operational security toward building the best possible security defenses. It’s a peer-reviewed methodology for security testing, maintained by the Institute for Security and Open Methodologies (ISECOM). It provides guidance on how to test the operational security of five channels (Human Security, Physical Security, Wireless Communications, Telecommunications, and Data Networks) so that organizations can understand the full extent of their security and determine how well their security processes actually function.
Information System Security Assessment Framework (ISSAF)
This is a structured and specialized approach to penetration testing that enables a tester to meticulously plan and document every step of the penetration testing procedure, from planning and assessment to reporting and destroying artifacts. For each vulnerable area of your system, ISSAF offers some complementary information, various vectors of attack, as well as possible results when the penetration tester exploits the vulnerability.
These are just a few examples of methodologies to keep in mind. Others include the National Institute of Standards and Technologies (NIST) guidelines and the Open Web Application Security Project (OWASP) methodology.
Sum It Up
Now you understand more about penetration testing terms, goals, and methodologies. In the next unit, you learn more about the responsibilities and qualifications of a penetration tester, and discover the skills that help penetration testers succeed.
Resources
- External Site: NIST: Penetration Testing
- External Site: Penetration Testing Execution Standard
- External Site: Medium: Penetration Testing — All The Terms You Need To Know
- PDF: ISECOM: The Open Source Security Testing Methodology Manual
- External Site: SecureIdeas: What are the ethical and legal considerations for penetration testing?
- External Site: OWASP: Penetration Testing Methodologies
- External Site: NIST: NIST Special Publication 800-115, Technical Guide to Information Security Testing and Assessment
