What is Penetration Testing?A penetration test, also known as a pen testing, is a security exercise where a cyber-security expert attempts to find and exploit vulnerabilities in a computer system. The purpose of this simulated attack is to identify any weak spots in a system’s defenses that attackers could take advantage of.
In the context of web application security, penetration testing is commonly used to augment a web application firewall (WAF).
Pen testing can involve the attempted breaching of any number of application systems, (e.g., application protocol interfaces (APIs), frontend/backend servers) to uncover vulnerabilities, such as unsanitized inputs that are susceptible to code injection attacks.
Insights provided by the penetration test can be used to fine-tune your WAF security policies and patch detected vulnerabilities.
Penetration Testing Stages
The pen testing process done in five stages, which are given below:
1. Planning and reconnaissance
The first stage involves:
- Defining the scope and goals of a test, including the systems to be addressed and the testing methods to be used.
- Gathering intelligence (e.g., network and domain names, mail server) to better understand how a target works and its potential vulnerabilities.
The next step is to understand how the target application will respond to various intrusion attempts. This is typically done using:
- Static analysis – Inspecting an application’s code to estimate the way it behaves while running. These tools can scan the entirety of the code in a single pass.
- Dynamic analysis – Inspecting an application’s code in a running state. This is a more practical way of scanning, as it provides a real-time view into an application’s performance.
3. Gaining Access
This stage uses web application attacks, such as cross-site scripting, SQL injection and backdoors, to uncover a target’s vulnerabilities. Testers then try and exploit these vulnerabilities, typically by escalating privileges, stealing data, intercepting traffic, etc., to understand the damage they can cause.
4. Maintaining access
The goal of this stage is to see if the vulnerability can be used to achieve a persistent presence in the exploited system long enough for a bad actor to gain in-depth access. The idea is to imitate advanced persistent threats, which often remain in a system for months in order to steal an organization’s most sensitive data.
The results of the penetration test are then compiled into a report detailing:
- Specific vulnerabilities that were exploited
- Sensitive data that was accessed
- The amount of time the pen tester was able to remain in the system undetected
This information is analyzed by security personnel to help configure an enterprise’s WAF settings and other application security solutions to patch vulnerabilities and protect against future attacks.
What are the types of Penetration Testing?
- External testing
- Internal testing
- Blind testing
- Double-blind testing
- Targeted testing
External penetration tests target the assets of a company that is visible on the internet, e.g., the web application itself, the company website, and email and domain name servers (DNS). The goal is to gain access and extract valuable data.
In an internal test, a tester with access to an application behind its firewall simulates an attack by a malicious insider. This isn’t necessarily simulating a rogue employee. A common starting scenario can be an employee whose credentials were stolen due to a phishing attack.
In a blind test, a tester is only given the name of the enterprise that’s being targeted. This gives security personnel a real-time look into how an actual application assault would take place.
In a double-blind test, security personnel have no prior knowledge of the simulated attack. As in the real world, they won’t have any time to shore up their defenses before an attempted breach.
In this scenario, both the tester and security personnel work together and keep each other apprised of their movements. This is a valuable training exercise that provides a security team with real-time feedback from a hacker’s point of view.
Advantages of Penetration Testing?
- Reveal vulnerabilities
Penetration testing explores existing weaknesses in your system or application configurations and network infrastructure. Even the actions and habits of your staff that could lead to data breaches and malicious infiltration are being researched during penetration tests. A report informs you of your security vulnerabilities so you know what software and hardware improvements you have to consider or what recommendations and policies would improve the overall security.
- Show real risks
Penetration testers try to exploit identified vulnerabilities. That means you see what an attacker could do in the ‘real world’. They might access sensitive data and execute operating system commands. But they might also tell you that a vulnerability that is theoretically high risk isn’t that risky at all because of the difficulty of exploitation. Only a specialist can perform that type of analysis.
- Test your Cyber-Defense capability
You should be able to detect attacks and respond adequately and on time. Once you detect an intrusion, you should start investigations, discover the intruders and block them. Whether they are malicious, or experts testing the effectiveness of your protection strategy. The feedback from the test will tell you if more likely what actions can be taken to improve your defense.
- Ensure business continuity
To make sure your business operations are up-and-running all the time, you need network availability, 24/7 communications and access to resources. Each disruption will have a negative impact on your business. Penetration tests reveal potential threats and help to ensure that your operations don’t suffer from unexpected downtime or a loss of accessibility. In this respect, a penetration test is quite like a business continuity audit.
- Maintain trust
A cyber assault or data breach negatively affects the confidence and loyalty of your customers, suppliers and partners. However, if your company is known for its strict and systematic security reviews and penetration tests, you will reassure all your stakeholders.
Reasons why your Business needs Penetration Testing?
Even despite best efforts and high investment, big players like Microsoft, Adobe, etc. faced zero-day threats in 2018, and Facebook, Marriott International, Exactis, etc. faced major breaches and hacks in 2018. This means that slip-ups in security and zero-days are a big possibility even for big players. So, it is vital that all organizations, big, medium, or small, engage in pen-testing to unearth unknown and unforeseen threats and risks for them to be able to prepare better.
It is important to note that small businesses are high up the target list of hackers with over 40-50% of small businesses facing some form of cyber-attack. If they are not well-prepared, then they may even be forced to shut down completely.
- To determine the weakness in the infrastructure (hardware), application (software) and people in order to develop controls.
- To ensure controls have been implemented and are effective – this provides assurance to information security and senior management.
- To test applications that are often the avenues of attack. (Applications are built by people who can make mistakes despite best practices in software development).
- To discover new bugs in existing software (patches and updates can fix existing vulnerabilities, but they can also introduce new vulnerabilities)
How often to conduct Penetration Testing?
Pen testing should be conducted regularly, to detect recently discovered, previously unknown vulnerabilities. The minimum frequency depends on the type of testing being conducted and the target of the test. Testing should be at least annually, and maybe monthly for internal vulnerability scanning of workstations, standards such as the PCI DSS recommend intervals for various scan types.
Pen testing should be undertaken after deployment of new infrastructure and applications as well as after major changes to infrastructure and applications (e.g. changes to firewall rules, updating of firmware, patches and upgrades to software).
Top Penetration Testing Tools
- John the Ripper
There are no doubts about how important penetration testing is with respect to protecting a business and its valuable assets from potential intruders. However, the benefits of a pen test cover all the network and data security concerns of any business.
It is essential that pen testing is done by certified security experts as they will be able to best use the security testing tools while leveraging automation and other technology to help businesses to continuously detect, protect and test their web application security and performance.