Penetration Testing: A Quick Overview ...

What is it?..

We have seen an incline in data breaches through ransomware attacks, with big corporations headlining such as the Colonial Pipeline and most recently Caesars Entertainment. Bringing penetration testing into focus as a great security preventative measure.

Penetration testers act as malicious actors attempting to breach an organization by finding and exploiting vulnerabilities. In simplest terms, organizations contract penetration testers to act as adversaries and exploit vulnerabilities to aid the organization in understanding its security landscape.

Penetration testing allows for a deeper look at the damage a breach can cause. Of course, there are a lot of moving parts before, during, and after a penetration test which I will cover in-depth in other posts. For now, I just want to provide a general overview of what penetration testing is.

Why is penetration testing important?..

Having a penetration test done is the best investment an organization can make. How can organizations defend their assets against malicious actors when they are unaware of how they could be potentially breached? Most organizations will implement basic security practices which is a great start but in today’s ever-evolving technological world much more is needed. When organizations are informed of where their weaknesses lie they can better protect their assets by strengthening those areas.

Additionally, many organizations are required to undergo penetration testing to remain compliant and abide by the laws and regulations pertaining to their specific industry. Some of these regulations include PCI DSS, HIPPA, GDPR, and many others.

Breaking it down ...

To get a more rounded basic understanding of what penetration testing is, it’s important to break it down into its categories, types, environments, and stages.

Categories	Description
White-Box	All the information necessary is provided by the organization about the environments that will be tested. This includes a range of things like IP addresses, source code, credentials, documentation, network infrastructure, etc.
Black-Box	This test best simulates a malicious actor since it involves heavy reconnaissance due to the penetration tester having zero knowledge of the environments to be tested.
Gray-Box	A combination of white-box and black-box testing. Partial information about the environments is provided while keeping other information hidden.

Types

Type	Description
Internal	Testing begins inside the network, aiming to gain access to privileged information.
External	Testing begins outside the network, aiming to gain access to the internal network.

Environments

Environment	Description
Network	A network scan is conducted to identify open/closed ports, the corresponding services, the versions running, etc.
Perimeter Devices	Routers, switches, firewalls, IDS/IPS, antivirus, etc.
Wireless Networks	Wi-Fi, Bluetooth, RFID, NFC, etc.
Mobile	iOS and Android devices.
Web Applications	Web applications and the technology used to operate them.
Physical	Building entry points, gates, security personnel, cameras, buildings, etc. Social engineering plays a big role here.
Cloud	Tests are conducted to determine the technology used and if any vulnerabilities exist.
Databases	MySQL, PostgreSQL, Oracle, etc.

Stages

Pre-engagement: The penetration tester and organization agree on what is to be tested (in scope) and what is not (out of scope). The legal implications for both sides are discussed and mutually agreed on. The organization specifies its goals, business requirements, and much more.
Reconnaissance: The penetration testers will begin gathering as much information about the organization and its network as possible. There are two types of reconnaissance, passive and active. The information gathered can be used to formulate an appropriate approach for later stages.
Discovery: A combination of additional reconnaissance and vulnerability discoverability. Here a penetration tester can find additional information such as IP addresses, DNS details, directories, usernames, etc. A vulnerability scan is also performed to find any potential known vulnerabilities.
Vulnerability Assessment: Vulnerabilities found are scored based on their severity level using The Common Vulnerability Scoring System. This helps determine which vulnerabilities need to be urgently addressed by the organization and the damage they can cause. These vulnerabilities are used to gain access in the next stage of the penetration test.
Exploitation: This stage requires the exploitation of the vulnerabilities found previously. Notes are taken on the exploitation process so it can be replicated by the organization if needed.
Post-Exploitation: This stage is all about maintaining access and documenting the data encountered throughout the exploitation. Important things to note are how long access was maintained and if the breach was noticed at any point.
Reporting & Risk Analysis: All the information gathered in previous stages is compiled into a comprehensive report. This report includes a risk analysis of the vulnerabilities found. Recommendations are also made to the organization on how to mitigate the vulnerabilities.
Remediation: The organization is now tasked with addressing the vulnerabilities and implementing the recommendations. After they complete their tasks the penetration tester will go back and reassess the vulnerabilities.

Let's Wrap It Up ...

This concludes the quick overview of penetration testing and its basic concepts. There is a lot more that goes into penetration testing which I will be breaking down further in upcoming posts. Performing a penetration test against an organization requires authorization from the organization's stakeholders, otherwise it is considered illegal and punishable by the law.

Penetration Testing: A Quick Overview ...

Table of contents