Penetration Testing – Detailed Overview (2019)

Published: May 16, 2019 7 min. read
Svitla Team
By Svitla Team
Quality Assurance
2020-pen_testing.jpg

What is penetration testing?

A penetration test (or pen test) is the method of a computer system simulation to detect cybersecurity vulnerabilities. Penetration testing of a network, application, device, and/or physical security is performed to detect any vulnerabilities which would allow possible penetration from inside or outside of the organization and thus prevent damage and information leaks. As a result of a pentest, a special document is created listing the details of the test vulnerabilities that were found. The recognized problem areas are reconfigured or replaced by more effective security systems and instruments.

Why is pen testing important?

First of all, penetration testing allows for detecting problems before security breaches happen. This minimizes the risk of data loss, information leaks, service damage, and other problems.

Penetration testing is a scheduled procedure and is a part of security audits. Frequency of pen testing is defined by requirements for each organization type, for instance, “Payment Card Industry Data Security Standard”.

James P. Anderson defined the following steps for information security procedures:

  • Find an exploitable vulnerability
  • Design an attack around it
  • Test the attack
  • Seize a line in use
  • Enter the attack
  • Exploit the entry for information recovery

As usual, it is better to predict risks and fix problems before they happen. It allows for avoiding all potential problems caused by unauthorized access to information systems and services by:

  • Determining the possibility of a certain set of attacks
  • Identification of high-risk vulnerabilities
  • Identifying vulnerabilities that can be difficult or impossible to find by using automated tools for vulnerability scanning
  • Assessing the size and value of the potential impact of successful attacks on business
  • Testing the ability of network protectors to successfully detect and respond to attacks

Types of penetration testing

Selecting the proper type of testing will allow the detection of existing problems in the security of the information system or organization. 

There are many types of penetration testing:

  • White box pen test
  • Black box pen test
  • Covert pen test
  • External pen test
  • Internal pen test

When choosing a Black Box level, the penetration tester knows only the range of external IP addresses. This approach is as close as possible to the actions of the hacker; data about the tested object will be collected using open source, social engineering, etc.

In White Box mode, the penetration tester has much broader information. In this case, experts can be provided with documentation, source code, network structure, and full access to the object being tested.

In Black Hat mode, only managers of the managing service are aware of the test. In this case, it is possible to check the level of operational readiness for attacks by network administrators and IT administrators.

In the White Hat mode, the test executors are in constant contact with the client's IT service, and the customer’s IT-specialists do not interfere with the performance of the required tests. The main task is to identify possible vulnerabilities and assess the risk of penetration into the system.

How to do penetration testing

How to do penetration testing? First of all, it includes the following steps:

  • Analysis of available sources
  • Scanning by tools
  • Analysis/evaluation of identified vulnerabilities and recommendations
  • Preparing a report
Pen testing main steps

Then it is necessary to define the area of penetration testing:

  • Application 
  • Network 
  • Web 
  • Physical 
  • IoT/Sensors 

A Penetration test can be performed manually or in an automated mode.

Manual pen testing can be either the focused or comprehensive type. Both types are valuable and should be scheduled according to the security plan. A Manual penetration test requires an expert engineer to perform it while automated penetration testing can be executed as a standard activity by a system administrator. Manual pen testing gives more details about specific problems of the system; on the other hand, automated testing results in a list of more items to be checked.

Quality Assurance Services Require the Most Reliable Partners Explore how Svitla Systems can ensure the quality of your products with proven QA expertise and innovative solutions. Contact Us

For automated testing, many tools can be used, and using a combination of them produces better results. The following are tools for automated testing: OpenVAs

  • Burp Suite
  • Metasploit Project
  • Nessus
  • Nmap
  • OWASP ZAP
  • w3af

The following operation system (OS) distribution can be used as well:

  • BlackArch 
  • BackBox 
  • BackTrack Linux
  • Parrot Security OS 
  • Pentoo based 
  • WHAX

Pen testing has five phases, the size of each phase depends on the target and plan of the specific system configuration.

Pen testing phases

The report provided to a customer on the penetration test results, contains a detailed description of performed work, all detected vulnerabilities and how they are implemented. The report also may contain specific recommendations for eliminating vulnerabilities.

Methodologies and Standards of Pen Testing

OSSTMM (Open Source Security Testing Methodology Manual) is a peer-reviewed methodology for conducting security tests. OSSTMM test cases are divided into five channels that are tested together: information and data management, personnel security awareness levels, fraud and social engineering levels, computer and telecommunication networks, wireless devices, mobile devices, physical access control, and physical locations.

The list of methods allows selecting the most suitable approach for a specific situation:

  • OWASP testing guide
  • PCI testing guide
  • Testing Execution Standard (PTSE)
  • NIST 800-115
  • Testing Framework 
  • Information Systems Security Assessment Framework (ISSAF)
  • Open Source Security Testing Methodology Manual (“OSSTMM”)
  • FedRAMP Testing Guidance
  • CREST Testing Guide

NIST (National Institute of Standards and Technology) discusses penetration testing in SP800-115. The NIST methodology is less exhaustive than the OSSTMM, regulators may accept it more willingly. 

And finally Penetration Testing Execution Standard (PTES) defines it as the following steps:

  • Pre-engagement Interactions
  • Intelligence Gathering
  • Threat Modeling
  • Vulnerability Analysis
  • Exploitation
  • Post Exploitation
  • Reporting

This allows constructing and execution of penetration testing on the level of black box testing or white box testing after the manual or automated procedure. Each of these steps is critical to the overall result and cannot be skipped. 

Frequency of Penetration Testing performance

Penetration testing is meant to save an organization from costly cyber attacks.

Usually, it should take place at least once per year. For many organizations, this frequency is enough if there is no critical data or vitally important information.

However, some organizations should plan pen testing quarterly. For instance, organizations with large data sets of user information, companies and enterprises’ web sites, etc. should carry outa different kind of pen testing every 3 months.

Organizations which deal with critical data should plan testing monthly. All financial organizations, demanding infrastructures, medical services, etc. must plan white box/black box testing every 30 days.

Finally, for some organizations, pen testing is a part of a weekly or daily routine. These are transport information systems, power plants, government organizations, etc., who must plan for almost constant health-checks (including employees). For such organizations, it is required by standards of corporate or government rules.

Also, it is recommended to do pen testing (at least in automated mode) after changes in system configuration, network upgrade, firewall reconfigurations or employees management. 

Takeaways

Penetration testing can save organizations from costly information leaks, disasters or service malfunction. It reduces risks on information systems’ security on many levels: hardware, software, and human factors.

Detailed testing reports should be taken very seriously by the administration and top management, and all potential problems must be fixed and documented.

It is always better to detect problems before they happen. 

Written by
Svitla Team
2020-pen_testing.jpg

FAQ

What is meant by penetration testing?

Penetration testing is basically an organized simulation of attacks against systems belonging to an organization – for example, networks, applications, devices, and physical security – to identify and validate vulnerabilities before real attackers exploit them. This would help in quantifying the risk, understanding the potential business impact, and testing the detection and response capabilities of that particular organization. The test may involve systems situated outside (black box) or inside (white box) the network/Internal/external systems; covert/overt; manual/automatic or hybrid, conducted using tools like Nmap, Burp Suite, Metasploit, Nessus, OWASP ZAP, among others. A penetration test guided by standards such as OSSTMM, NIST SP 800-115, PTES shall normally include planning, intelligence gathering, vulnerability assessment, exploitation, post-exploitation, reporting, and producing a remediation report in detail; frequency varies from annual to continuous, depending on the sensitivity of data and regulatory requirements.

What are the types of penetration testing?

Penetration testing types are various, based on the knowledge and access levels shared with the tester. In White box testing, all information about the system is supplied; therefore, an adequate and comprehensive analysis can be performed. Black box testing simulates a real external attacker without any prior knowledge, focusing on scenarios where actual vulnerabilities may be exploited. Internal testing assesses security from inside the organization’s network. External testing targets systems that have interfaces exposed to the internet. It does not inform them ahead of time that there will be an assessment of how well the organization can detect and respond to active attacks.

What are the 5 stages of penetration testing?

Pre-engagement sets scope, rules, and goals. Intelligence collects info about targets. Vulnerability analysis finds and ranks weaknesses. Exploitation proves the vulnerability is real and shows what can be done with it. Post-exploitation assesses the impact, documents the facts, and provides guidance on remediation. This makes the test structured, repeatable, and aimed at real risk reduction.

What are the best penetration testing tools?

Some tools that have gained quite good effectiveness in practical use include Nmap – probably the best network discovery/port scanning tool, Nessus- another good vulnerability assessment tool, and Metasploit- used for exploitation/post-exploitation. Burp Suite and OWASP ZAP are considered standard good tools for web application testing, and w3af is very useful from an auditing perspective that focuses on the web. In a comprehensive assessment, these tools will be supplemented by many others to maximize coverage and are typically run within a security-focused Linux distribution, such as Parrot Security OS, BlackArch, BackBox, or a Kali/BackTrack derivative.

What is the primary goal of penetration testing?

The main objective of penetration testing is to identify and address cybersecurity vulnerabilities before an attacker exploits them with malicious intentions. Therefore, through simulations of real-world attacks, organizations should understand their security postures to minimize risks related to breaches that would lead to the leakage of information or interruptions in service and thus ensure the protection of critical assets. This will help judge how far existing security controls are effective and the ability of a concerned organization in detecting an attack and responding appropriately.