What is Penetration Testing?

 What is Penetration Testing?



Penetration testing is one of the techniques for identifying areas of the system that are vulnerable to intrusion and compromise of integrity and reliability by unauthorised and malicious users or entities. The penetration testing process includes deliberate, authorised attacks on a system that can identify both its weakest areas and gaps in protection against third-party intrusions, and thereby improve security attributes.
This technique can also be used as a supplement to other verification methods to assess the effectiveness of the system protection complex against various types of unexpected malicious attacks.

What are the causes of system vulnerabilities?


Security gaps appear at different stages of the process and depend on many factors:

  • design error (for example, design flaws are one of the most important factors in security loopholes);
  • incorrect setup and poor configuration of related hardware and software;
  • network connectivity problems (a secure connection eliminates the possibility of malicious attacks, and an insecure network provides a gateway for hackers to attack the system);
  • Human error (an error committed intentionally or unintentionally by an individual or team in the design, deployment and maintenance of a system or network);
  • communication error (incorrect or open transfer of confidential data and information among teams or individuals);
  • excessive system complexity (it is easy to control the security mechanism of a simple network infrastructure, but it is difficult to track leaks or any malicious activity in complex systems);
  • lack of training (lack of knowledge and proper training on security issues, both from internal employees and those working outside the organisational structure).

What is the difference between penetration testing and vulnerability assessment?

Both of these techniques have the same goal of making the software product secure, but they have different workflows.

Penetration testing is real-time verification manually or using automation tools; the system and its associated component are exposed to simulated malicious attacks to identify security flaws.

Vulnerability assessment involves examining and analysing the system using testing tools in order to detect security loopholes for several types of malicious attacks. This technique identifies areas of vulnerability that could provide hackers with the opportunity to compromise a system. In addition, the vulnerability assessment process includes various corrective actions to address identified deficiencies.

Vulnerability assessment follows a predetermined and established procedure, while penetration testing solves the only problem - the destruction of the system, regardless of the approaches adopted.

What is penetration testing for?

As stated earlier, security holes provide an opportunity for an unauthorised user or rogue entity to attack the system, affecting its integrity and confidentiality. Thus, penetration testing of software products helps to eliminate these vulnerabilities and make the system competent enough to protect against expected and even unexpected malicious threats and attacks.

Let's consider the results of applying this technique in more detail. So, penetration testing provides:

  • A way to identify weak and vulnerable areas of the system before a hacker notices them. Frequent and complex system updates can affect related hardware and software, leading to security issues - hence it is appropriate to control all of these updates.
  • The ability to assess the existing security mechanism of the system. This allows developers to assess their security competence and maintain the level of security standards set in the system. In addition to the system vulnerability, it is also recommended that business and technical teams assess various business risks and issues, including any compromise with authorised and sensitive data of the organisation. It helps the organisation to structure and prioritise, mitigating or completely eliminating various business risks and challenges.
  • Finally (but not least), a tool for identifying and meeting certain basic safety standards, norms and practices.

How to do penetration testing?

System penetration testing can be performed using any of the following approaches:

  • manual testing;
  • automatic testing;
  • a combination of manual and automated testing.

1. Manual Penetration Testing

For manual penetration testing of a software product, a consistent standard approach is used, including the following steps:

  • Planning for penetration testing. This stage includes collecting requirements, defining the scope, strategies and objectives of penetration testing in accordance with security standards. In addition, it may contain an assessment and listing of areas to be verified, types of planned trials, and other related checks.
  • Intelligence service. Collecting and analyzing the most detailed information about the system and related security attributes, useful for targeting and attacking each block, for effective and efficient testing of the system penetration into the system. There are two forms of collecting and analyzing information about the target system: passive and active reconnaissance (in the first case, direct interaction with the system is not assumed).
  • Vulnerability analysis. At this stage, testers identify and discover vulnerable areas of the system, which will later be used to enter and attack using penetration tests.
  • Exploitation. An actual system penetration test involving internal and external attacks. External attacks are simulated attacks from the outside world that prevail outside the system / network boundary (for example, gaining unauthorised access to system functions and data related to applications and servers facing the public). Internal attacks begin after the intrusion of authorised objects into the system or network and are aimed at various actions (when a compromise is reached with the integrity and veracity of the system) that can intentionally or unintentionally compromise the system.
  • Post-exploitation. The next step is to analyse each attack on the system to assess its purpose and objectives, as well as its potential impact on system and business processes.
  • Reporting. In fact, reporting includes the documentation of the activities carried out at all the mentioned stages. In addition, it can describe the various risks, issues identified, areas of vulnerability (used or not), and proposed solutions to address deficiencies.

2. Automatic penetration testing

This useful and effective approach to penetration testing involves the use of specialised instrumentation. Automatic testing is reliable, convenient, very fast and easy to analyse. Validation tools are effective for accurately detecting security flaws in a system in a short amount of time, and for generating crystal clear reports.

Here are just a few of the popular and widely used penetration testing tools:

Nmap;
Nessus;
Metasploit;
Wireshark;
OpenSSL;
Cain & Abel;
THC Hydra;
w3af.
Many automated testing tools can be found in off-the-shelf Linux builds ( Kali Linux , Mantra OS ).

To work on a specific project, you will have to choose a tool that meets a number of requirements and criteria:
  • ease of deployment, use and maintenance;
  • providing a simple and fast system scan;
  • the ability to automate the process of checking identified vulnerabilities;
  • the availability of checking previously discovered vulnerabilities;
  • ability to create simple and detailed vulnerability reports.

3. Combination of manual and automated penetration testing

This approach can be considered optimal, since it combines the advantages of the first two options and provides operational control through reliable and accurate penetration into the software product.

Penetration test types

Penetration testing, depending on the elements and objects used, can be classified into the following types:

  • Social engineering. Testing with the involvement of a “human contingent” capable of clearly identifying and receiving confidential data and other information via the Internet or telephone (this group may include employees of the organisation or any other authorised persons present in the organisation's network).
  • Web application. Used to detect security holes and other problems in several variants of web applications and services hosted on the client or server side.
  • Network service. Network penetration testing to identify and detect the possibility of access to hackers or any unauthorised object.
  • Client side. As the name suggests, this test is used to test applications installed on a client site / application.
  • Remote connection. Testing a vpn or similar object that can provide access to the connected system.
  • Wireless network. The test is designed for wireless applications and services, including their various components and functions (routers, filter packets, encryption, decryption, etc.).
Penetration testing can also be classified based on the testing approaches used:

  • White box. With this approach, the tester will have full access to in-depth knowledge of the functioning and basic attributes of the system. This testing is very effective, as understanding every aspect of the system is very helpful when doing extensive penetration testing.
  • Black box. Testers are only provided with high-level information (such as the URL or IP address of an organisation) to conduct penetration testing. A specialist may feel like a hacker who knows nothing about the system / network. This is a very time-consuming approach, since the tester takes a significant amount of time to study the properties and details of the system; in addition, there is a high probability of missing some areas due to lack of time and information.
  • Gray box. The tester receives limited information (for example, knowledge of the algorithm, architecture, internal states) to simulate an external attack on the system.

Penetration Testing Limitations.

Penetration testing has a number of limitations:
  • lack of time and high cost of testing;
  • limited scope of testing based on requirements over a given time period (which may result in other critical areas being ignored);
  • the possibility of system destruction or system loss in a failure state as a result of a penetration test;
  • data vulnerability (loss, corruption or damage).

Conclusion:

Armed with advanced technologies with a wide range of resources and tools, hackers often easily break into a system or network with the intention of harming a company's reputation and assets. Penetration testing, more than other types of testing, can be seen as a tool to identify various security gaps, helping to negate potential threats to the system as a whole.

I will conclude with some useful links.
The Awesome Penetration Testing project is constantly updating tools, articles, books on penetration testing.

Standards:

  • PCI DSS (Payment Card Industry Data Security Standard);
  • OWASP (Open Web Application Security Project);
  • ISO / IEC 27002 , OSSTMM (The Open Source Security Testing Methodology Manual).

Certification:

  • GPEN ;
  • Associate Security Tester ( AST );
  • Senior Security Tester (SST);
  • Certified Penetration Tester ( CPT ).
Previous Post Next Post