“A penetration test is a simulated cyber-attack against ideally all components and applications of an IT system to check for exploitable vulnerabilities.”
In fact, almost two-thirds of all companies are victims of cyber-crime. The idea of a Penetration test is to check and then secure the IT System precautionary. Either leading to the validation of security guarantees regarding risk assessment or to discovering vulnerabilities that impose a risk to the client and need to be secured.
Penetration tests are typically classified by the following 4 types:
External testing vs Internal testing
External penetration tests target the systems of a company that are accessible on the internet, e.g., a web application, the company website, email servers and more. The goal is often to gain access and extract valuable data or to take control of the system.
An internal test, on the other hand simulates an attack from inside the company network. This is not necessarily simulating a rogue employee. A cunning attacker might also gain access to this privileged part, e.g. by Social Engineering or Phishing.
Closed-box testing vs Open-box Testing
In Closed-box testing, a tester is only given the externally accessible IP-Range of the client, that is being targeted. The tester simulates the typical external attacker without any further information, nor privileged access.
In an Open-box Test, the tester is provided information of the internal structure. Often access to the source code of critical applications is given to the tester as well. This can be used to simulate a rogue employee or enable testers to cover parts of the systems, that otherwise would be too time-consuming to explore for the tester.
In the following we describe the typical stages of the most common external (Closed-box) Penetration test:
Stages of an external Penetration test
The goals and objectives of the penetration test will be defined at first.
It is essential that the client and tester define the goals of the penetration test together, such that both parties have the same understanding of the objectives and targets. The common objectives of a penetration test are the following:
- Identify vulnerabilities and improve the security of the company network and its systems.
- Test the IT security by an experienced external third party.
- Increase and/or certify the security of the IT infrastructure.
In the first technical step the tester will scan the defined target, typically the company network. The goal is to discover the externally accessible services. Using automated scanning tools, the tester can further identify outdated software and check for publicly disclosed vulnerabilities. After completing the scan, the tester will have an overview of the exposed services and can consider possible attacks.
Attacking is the most critical step that must be performed with due care. By attacking the system, the tester will verify the identified potential vulnerabilities of the scanning phase. Depending on the agreed objective, the attacker will aim not to harm the productive system but at the same time reveal whether the attacks impose actual risks. Recovery procedures for critical system must be in place to prevent unintended harm. The limitations of the testers capabilities have to be balanced, considering risks of harm by testing and the possibility of overlooking critical vulnerabilities and risks.
Evaluating the vulnerabilities and attacks, the tester is now able to assess the identified security risks. Vulnerabilities can be categorized and rated by risk and exploitability. Additional the tester can provide recommendations, typically suggest updates or a necessary change in configuration. Since a penetration test is limited in scope, aggressiveness, and time it is important for the tester to transparently disclose the scope and limitations of the test. This enables the client to genuinely assess the security and guarantees obtained by the test.
Finally, the objectives, scope, procedures, and findings will be reported. Ideally the report follows the same structure as the test itself. Starting with the agreed objectives and scope in the first step and followed by the scanning methodology, tools, and results. The evaluated findings can then be listed in order of risk priority, followed by the recommendations and ending with the conclusion.
A report should focus on the following parts:
- An overall summary of the penetration test.
- Details of each procedure step and the information gathered during the pen testing.
- Details of all the vulnerabilities and risks discovered and their assessment.
- Recommendations for improving the security.
- The objectives, scope, and limitations of the test.
A penetration test can be used as an assessment of the current IT-security grade of the company. Due to the rapidly changing nature of technology advancement, security and risk assessments must be seen as continues processes. Just like the underlying soft- and hardware beneath, they require regular updates. Therefore, it is recommended to test the company infrastructure on a yearly basis, ideally with state-of-the-art attacks and defences from unbiased experts of the field.