Today's networked systems have a greater attack surface because computers are interconnected and can be accessed remotely. Systems and servers are also complex since they offer dozens of services and run many different software packages. Anyone gaining access to such a system without authorization can damage operations and steal data. It's therefore essential to know what security vulnerabilities are present and take corrective action early on.
Penetration testing is a proactive attempt to discover and exploit vulnerabilities in the system. The idea is not to cause damage as a malicious hacker would. Instead, it's to discover what's wrong, show how much damage can be done, or prove that existing measures are mitigating these attacks as they happen. Penetration testing can be manual or automated.
What's a typical pen testing process?
With pen testing, we typically explore or scan the system to discover vulnerabilities. Once discovered, we try to exploit them and see what happens. The behaviour is captured and reported for analysis. Scanning can be static code analysis or dynamic run-time analysis.
Pen testing requires a proper testing plan. Reporting should be consistent. Problems should be marked with levels of severity. Finally, there should be an action plan to mitigate or manage vulnerabilities.
Since attacks are often preceded by an assessment, Vulnerability Assessment and Penetration Testing (VAPT) is a term commonly used. It's also possible to do both these in parallel: vulnerability assessment involving scans and analysis; pen testing involving analysis and attacks. A vulnerability scan is faster than detailed pen testing but pen testing is more accurate since some reported vulnerabilities might be false positives.
What are some types of pen testing?
- Network: Involves firewalls, routers, SSH, port scanning, and anything else that will allow an attacker to gain network access.
- Wireless: Often systems involve wireless access. Pen testing should look at wireless traffic, encryption protocols, unauthorized access points, poor passwords, MAC address spoofing, etc.
- Web: Any website or web app can be vulnerable at the application layer. Pen testing should check cross-site scripting, SQL injections, DoS attacks, web server misconfiguration, failure to protect sensitive data, etc. This could include vulnerabilities on the client-side of the app.
- Physical: Systems have to be physically secure as well in terms of locks, motion sensors, etc.
- Social Engineering: Users can be manipulated or fooled to provide unauthorized access to systems. Phishing, tailgating and eavesdropping are some techniques.
- Cloud: When apps reside in the cloud, cloud pen testing may be required. You will need to know from your cloud provider what assets are off limits for pen testing.
What are some methods or approaches to pen testing?
External testing is useful to mimic how an outsider might attack the system. Internal testing is to ascertain how much and what damage a disgruntled employee or another user with authorized access can cause.
Targeted testing is when multiple teams work together and everyone can see the tests as they execute. Blind testing is when limited information is given to the pen tester. Double-blind testing goes one step further: very few in the company know that pen testing is happening. This will determine if security monitoring and responses happen as expected.
Black box testing is an extreme case of blind testing. Pen testers are given no information. White box testing gives pen testers lots of useful information to speed up the process. Black box testing is more real but slow. White box testing is more thorough.
When is the right time to do pen testing?
Pen testing should be done regularly. Previous approaches of doing this annually are seen to be outdated. The recommendation is to have pen testing as part of regular development and release processes. If this is not possible in-house, there are providers who offer pen testing as a service.
Typically, vulnerability scans could be part of CI/CD pipelines and longer attack tests could be done nightly. In addition, when there are changes made to the app/network/server/system, pen testing should be done. Such changes might include moving to a new office premise, releasing a patch, changing user policies, or adding new infrastructure.
Could you mention some tools that help in pen testing?
It's interesting to note that tools that might be used by malicious hackers can also be useful for pen testing. The site SecTools.Org maintains a list of 100+ network security tools.
Angry IP Scanner is for scanning IP addresses and ports. Ettercap can read and inject packets into the network adaptor. For cracking passwords there's Cain and Abel or John the Ripper. To crack Wi-Fi passwords, Aircrack-ng is useful. For attacking web apps, we have Burp Suite and OWASP ZAP. For exploiting SQL flaws, there's sqlmap. Nessus is a well-known vulnerability scanner. Wireshark is a popular tool for interactively analyzing network logs. Metasploit is a framework to develop and reuse exploit code. System admins can use Responder, Powershell Empire, Hashcat, Arpspoof and Wireshark.
Isn't pen testing the same as ethical hacking?
Often these two terms are used interchangeably but there's a subtle difference. Pen testing may be seen as a subset of ethical hacking. Pen testing is narrowly focused to discover and show that vulnerabilities can be exploited. Ethical hacking has a broader scope. An ethical hacker can use pen testing plus various other methods across the entire IT infrastructure.
While pen testing aims to give confidence about system security (usually based on known vulnerabilities), ethical hacking will try to see things from the perspective of a malicious hacker. An ethical hacker may use novel techniques of hacking. He may use social engineering, rummage through logs, examine patch installations, sniff networks, etc.
Are there any standards or methodologies to guide in pen testing?
Among the more well-known standards is Penetration Testing Execution Standard (PTES) that was defined in 2009. Its goal is to provide guidance about tools and techniques. A standard such as PTES is particularly useful when organizations engage external testers or testing services. With PTES, it's easier to filter out low quality testers.
PTES does have its limitations. Threats are evolving rapidly and it's impossible for a static standard to be comprehensive. Thus, PTES should be seen as a minimum requirement. PTES Technical Guidelines are available online and publicly accessible.
Another standard is called Open Source Security Testing Methodology Manual (OSSTMM) from ISECOM. It's been around since 2001. Payment Card Industry Data Security Standard (PCI DSS) provides guidance for pen testing among things. There's also Information Systems Security Assessment Framework (ISSAF) but this is not actively updated.
At the annual Joint Computer Conference held in the U.S., the security of computer communication lines is discussed. The term "penetration" is used for the first time. Subsequently, RAND Corporation and Advanced Research Projects Agency (ARPA) publish a detailed report, commonly called The Willis Report. This report becomes influential for later studies.
From late 1960s and during 1970s, tiger teams are formed. They're sponsored by governments and companies. Their task is to attack computer systems, uncover security holes and then fix them. Pen testing as we know it today starts here. In 1972, an early pioneer of pen testing, James P. Anderson outlines steps that tiger teams can follow for pen testing.
Dan Farmer of Sun Microsystems and Wietse Venema of the Eindhoven University of Technology release a paper titled Improving the Security of Your Site by Breaking Into It. They use the term "uebercracker" to refer to a system cracker who has gone beyond simple cookbook methods of breaking into systems. They also describe SATAN (Security Analysis Tool for Auditing Networks), one of the earliest tools to automate pen testing. It's written in shell, perl, expect and C.
- Agarwal, Meenakshi. 2017. "Five Types of Penetration Test to Zero in Potential Vulnerabilities." TechBeamers, May 15. Accessed 2019-01-14.
- Alpine Security. 2019. "The History of Penetration Testing." Alpine Security. Accessed 2019-01-14.
- Bloom, Malcolm. 2018. "Ethical Hacking vs. Penetration Testing." Bank4YOUGroup, via Medium, January 31. Accessed 2019-01-14.
- Boden, Emily. 2017. "Cybersecurity 101: Vulnerability Assessment vs. Penetration Testing." Blog, eSentire, August 01. Accessed 2019-01-14.
- Cipher. 2019. "The Types of Pentests You Must Know About." Cipher. Accessed 2019-01-14.
- Core Sentinel. 2017. "Black Box vs. White Box Testing: Key Differences Every Organisation Should Know." Core Sentinel, June 09. Accessed 2019-01-15.
- Cyber Security Masters Degree. 2019. "What Is The PTES (Penetration Testing Execution Standard)?" Cyber Security Masters Degree. Accessed 2019-01-14.
- Dhobley, Pallav and Aditya Gupta. 2013. "The OWASP Zed Attack Proxy." SlideShare, May 06. Accessed 2019-01-17.
- Fahey, Ryan. 2016. "The History of Penetration Testing." Resources, InfoSec Institute, July 21. Accessed 2019-01-14.
- Farmer, Dan and Wietse Venema. 1993. "Improving the Security of Your Site by Breaking Into It." December 02. Accessed 2019-01-17.
- Flora, Julio Della. 2017. "Penetration Testing Tools,Powerful Penetration Testing Tools." Wordpress Blog, April 27. Accessed 2019-01-15.
- Garbade, Michael J. 2018. "7 Best Cyber Security Penetration Testing Tools." Cybrary, May 02. Accessed 2019-01-14.
- Help Net Security. 2013. "How important is penetration testing?" Help Net Security, September 09. Accessed 2019-01-14.
- Imperva. 2018. "Penetration Testing." Web Application Security Center, Imperva. Accessed 2019-01-14.
- ISECOM. 2019. "Homepage." ISECOM. Accessed 2019-01-17.
- Kostadinov, Dimitar. 2016. "Ethical Hacking vs. Pentesting." Resources, InfoSec Institute, June 10. Accessed 2019-01-14.
- Microsoft Docs. 2018. "Learn how to add continuous security validation to your CI/CD pipeline." Azure DevOps, Microsoft Docs, April 26. Accessed 2019-01-15.
- OWASP. 2016. "Penetration testing methodologies." OWASP, April 01. Accessed 2019-01-14.
- OWASP. 2017. "OWASP ZAP 2.6 Getting Started Guide." Accessed 2019-01-14.
- Rouse, Margaret. 2011. "pen test (penetration testing)." TechTarget. Accessed 2019-01-14.
- Scott-Jackson, Toby. 2016. "The Evolution Of The Penetration Test." ISBuzz News, July 21. Accessed 2019-01-14.
- SecTools. 2019. "SecTools.Org: Top 125 Network Security Tools." Accessed 2019-01-15.
- Sundar, Venkatesh. 2018. "8 Website Penetration Testing Tools." Blog, Indusface, July 17. Accessed 2019-01-14.
- Trinka, Jeremy. 2018. "Five Pentesting Tools and Techniques (That Every Sysadmin Should Know)." Software Engineering, via Medium, April 15. Accessed 2019-01-14.
- Veracode. 2014. "Vulnerability Assessment and Penetration Testing." Veracode, February 03. Accessed 2019-01-14.
- Wikipedia. 2018. "Penetration test." Wikipedia, December 19. Accessed 2019-01-14.
- Software Testing Help. 2018. "Penetration Testing – Complete Guide with Sample Test Cases." Software Testing Help, December 03. Accessed 2019-01-14.
- PTES. 2012. "PTES Technical Guidelines." PTES, April 30. Accessed 2019-01-14.
- Rouse, Margaret. 2011. "pen test (penetration testing)." TechTarget. Accessed 2019-01-14.
- Testbytes. 2017. "Penetration Testing Tutorial: Stages, Types, Methods & Tools." Testbytes, December 20. Accessed 2019-01-14.