Understand the 360 Degrees of Penetration Testing: Why, When and How
Breaking down a company’s security protections required a lot of time and skills a long time ago. However, with today’s technological advances, finding an organization’s loopholes have become a piece of cake for the cybercriminals out there. Enterprise networks are facing non-stop attacks. Your business, institute or organization also can be a target of the cybercriminals in any minute. Ignoring these vulnerabilities can lead to system breaches, loss of personal customer data and affect the reputation of your business at the end of the day. Security and penetration testing is the only way to identify those exposures. So let’s give a break to your curiosity and start talking about “Penetration Testing”.
What is Penetration Testing?
Penetration testing is a common
way for organizations to test their security maturity and identify potential
vulnerabilities in a system (ex: application protocol interfaces (APIs),
frontend/backend servers), network, or application. Poor architecture design,
weak coding, wrong configuration, and other reasons may become the root cause
for mentioned vulnerabilities. To uncover them, an ethical hacker would perform
the penetration test. The ultimate objective of penetration testing is to
recognize security weaknesses. Penetration testing can also be applied to test an
organization's security policy, its bond to compliance requirements, its
employees' security awareness and the organization's ability to address to security conflicts.
A penetration test aligns in 5 main stages and let’s explore those stages in detail.
As the initiative of penetration
testing this involves in defining the scope and goals of a test, including the
systems to be addressed and the testing methods to be used and gathering
intelligence (ex: network and domain names, mail server) for better
understanding on how a target works and its potential vulnerabilities.
2. Scanning
This stage helps to understand
how the target application will react to various intervention attempts and
typically done using 2 analyses as Static and Dynamic. In Static analysis, it
inspects an application’s code to estimate the way it behaves while running by
scanning the entirety of the code in a single pass. Dynamic analysis, it
investigates an application’s code in a running state. As it provides a real-time
view into an application’s performance, it considers as a more practical way of
scanning.
3. Gaining Access
Web application attacks
(cross-site scripting, SQL injection and backdoors) are used to expose a
target’s vulnerabilities at this stage. Testers then exploit these patches,
typically by escalating privileges, stealing data, intercepting traffic, etc.,
to understand the damage that can cause.
4. Maintaining access
Under maintaining access, it
checks if the vulnerability can be used to attain a persistent presence in the
exploited system by imitating advanced persistent threats, which remain in a
system for months to hack sensitive data of an organization.
5. Analysis
In this final stage, the results
of the penetration test are compiled into a report detailing the specific
vulnerabilities that were exploited, sensitive data that was accessed while
highlighting what was used to successfully enter the system, what security
weaknesses were identified, other pertinent information determined, and
suggestions for remediation.
Why the Penetration Test is Important?
Nowadays an organization can’t
keep isolated without having any online presence. More you expose your
organization on the internet, more it becomes vulnerable. Pen testing is
important to your organization due to the following reasons.
- Helps to identify and prioritize security risks
- Manages vulnerabilities intelligently
- Leverage the proactive security approach
- Verify existing security strategies are working and discover your security strength
- Meeting compliance and regulatory requirements
Penetration testing methods
- External testing
Targets the assets of an organisation
that are exposed to the internet such as web applications, the company website,
and email and domain name servers (DNS). Through this, it tries to gain access
and extract sensitive data.
- Internal testing
A tester with access to an
application behind its firewall simulates an attack by a malicious member.
This isn’t inevitably simulating a rogue employee (ex: an employee whose
credentials were stolen by a phishing attack.)
- Blind testing
A tester is given only the name
of the target enterprise. This gives security employees a real-time investigation of how an actual application assault would take place.
- Double-blind testing
In here, security personnel have
no prior knowledge of the simulated attack. As in the real world, they have no time to reinforce their defences before an attempted breach.
- Targeted testing
Both the tester and security
personnel work collaboratively and keep each other apprised of their movements. It
gives a security team with real-time feedback from a hacker’s point of view.
Apart from these testing methods,
there are a couple of different penetration test types as well. Some of them
are Web application tests, Network security tests, Cloud security tests, IoT
security tests, Cryptocurrency tests and Social engineering.
Any Tools for Pen Testing?
There are many pen-testing tools
on different penetration testing tasks. Following is a list of some of the best.
- Powershell-Suite
- Zmap
- SimplyEmail
- Wireshark
- Hashcat
- John the Ripper
- Hydra
Metasploit
Cutting the Long Story Short
The use of penetration tests is
inevitable for any organization with an online presence. It uncovers the
critical security issues of your systems, how vulnerabilities are exploited and
what requires to fix them. Only licensed ethical hackers may perform
penetration tests.
Good read Ruvishka.
ReplyDeleteI noticed your mention of many Pen testing tools in the article. what tools you would recommend as the best to use?
The mentioned are some of the best tools Asenika. But FYI, those tools are used in different purposes like Exploitation and Collecting Info (Powershell-Suite, Zmap), Credentials and Wireless (Wireshark, Hashcat), Web Apps and Shells (Burp Suite, Metasploit), Vulnerabilities (NMAP/ZenMap, sqlmap), Reverse Engineering (Apktool, Resource Hacker), and other additional tools. To have a comprehensive understanding please refer this link. https://www.varonis.com/blog/penetration-testing-tools/#additional
DeleteNice flow Ruvishka. Keep writing! Could you please tell me that, how often an organization should have pen tests?
ReplyDeleteThank you Suranga.
DeleteAs per my reading, it is recommended to conduct regularly scheduled penetration testing. Because it allows businesses to locate and mitigate security risks. To get the job done, an organization can get the service from a Red team. If I mention some occasions that are encouraged to conduct this test,
1. Adding network infrastructure
2. Applying security patches
3. Performing upgrades to applications or other infrastructure
4. Modifications to end-user policies
5. Establishment of new office locations can be mentioned.
Don't you think for this pen testing blue team is the most suitable team?
DeleteHi Rajitha,
DeleteI guess you are saying that considering on giving access to an external party. Well, in my opinion, blue teams are for defensive task on behalf of the organization. They are for building up an organization’s protective measures, and taking action when needed. As per my knowledge, these blue teams are attacking the systems with a prenotice. So, the organization already knows when the attack will happen and they have plenty of time to get prepared for that. Red teams are on the offensive side. Their job is to identify and assessing vulnerabilities, test assumptions, view alternate options for attack, and reveal the limitations and security risks for that organization. And they do these attack without any prenotice. So it is almost like a real attack which helps to identify the security vulnerabilities. If an organization can have the service of both of these teams, that's good. But, as I think Red teams would be more effective. If you are interested more I would suggest you this article. In there you will find another team called "Purple Team". Just have a look :)
https://www.coresecurity.com/blog/whats-your-defense-strategy-best-practices-red-teams-blue-teams-purple-teams
How the penetration testing differs from the vulnerability scanning?
ReplyDeleteIf I briefly explain you, a penetration test is a detailed hands-on examination by a real person that tries to detect and exploit weaknesses in your system. A vulnerability scan is an automated, high-level test that looks for and reports potential vulnerabilities. Vulnerability scans can make on scheduling (quarterly (PCI)) or on-demand service unlike pen testing. When comparing the costs. vulnerability scans are relatively low cost but again it depends on the scope, scans. In a vulnerability scan you will receive a comprehensive report and it's a level of risk and potential exposure by ranking vulnerabilities high, medium or low reporting with a pen test.
DeleteNicely written. Just to know. Is pen testing expensive?
ReplyDeleteThank you Kawee! A high-quality, professional pen test would cost between $15,000-$30,000. But it depends on the requirement of the client. More the variable, more the cost is. Some of the common variables that consider while doing a pen testing are Complexity, methodology, experience, onsite and remediation.
DeleteYou have nicely covered many aspects of penetration testing. Btw, is penetration testing done manually or can it be automated as well? Also, are there any drawbacks in this?
ReplyDeleteThanks Dulanga! Pen tests can be conducted in both manually and automatically. If you are following the automated path, you can use the mentioned tools in this article. Let me suggest you an article for further reading. It may help to have a comprehensive answer.
Deletehttps://www.tutorialspoint.com/penetration_testing/penetration_testing_manual_automated.htm#:~:text=Both%20manual%20penetration%20testing%20and,the%20way%20they%20are%20conducted.
To answer your question, "are there any drawbacks in this?", yes, there are drawbacks as well as the pros in this testing. If I list them down for you,
1. Tests that are not done properly can crash servers, expose sensitive data, corrupt crucial production data, or cause a host of other adverse effects associated with mimicking a criminal hack.
2. You should trust the penetration tester.
3. If you don’t employ realistic test conditions, the results will be misleading.
4. It takes a pen tester more time to inspect a given system to identify to attack vectors than doing a vulnerability assessment being the test scope is greater.
Hi Ruvishka. Thankyou for the very informative article. Just a little clarification, so is a pen test a sort of a simulated cyber attack and does it only target web applications of an organization?
ReplyDeleteYou are most welcome! Yes, you may call it in that way. It is a simulated cyber attack against your computer system to check for exploitable vulnerabilities. The only difference is we know that this kind of attack would happen in any minute. Pen testing is not limited only to the web applications. As I mentioned pen testing can be used on network security, cloud security, IoT security, cryptocurrency and social engineering as well.
DeleteGood article Ruvishka. Small clarification, "what do you mean by licensed ethical hackers"?
ReplyDeleteHi Prabod. Certified Ethical Hacker (CEH) or a licensed ethical hacker is a professional designation to describe hackers that perform legitimate services for organizations and IT companies. A certified ethical hacker is a skilled individual who uses the same knowledge and tools as a malicious hacker, but who does so in a lawful and legitimate manner to assess the security risks of a network or system. There are may ethical hacking certifications which can help in there like, Certified Ethical Hacking Certification, GIAC Penetration Tester, Offensive Security Certified Professional and many more. Please follow the link if you are interested in more details on those exams.
Deletehttps://www.prepaway.com/certification/7-ethical-hacking-certifications-for-your-it-career/