Penetration testing, also known as “pen testing,” is an intentional, simulated cyberattack against your IT systems to find vulnerabilities and test the efficacy of cybersecurity controls.
For example, penetration testers can use this tactic to improve web application security mechanisms such as firewalls. Pen testing might involve an attempt to breach access controls to gain access to a private network.
Pen testing can reveal valuable insights for remediation of security issues, strengthening security policies, and vulnerability management of security risks such as malware, social engineering, and phishing.
In this guide, we’ll explore the types of penetration testing that can be done, as well as the planning necessary so security professionals can run their own pen tests.
What Does Pen Testing Involve?
The pen testing process occurs over five steps.
Step 1. Planning
It’s always good to conduct a baseline security assessment or cybersecurity audit before beginning a penetration testing project. This allows you to understand where you’re at today and provides a basis for comparison once the test has occurred and new remediation has been applied.
From there, you’ll want to determine the scope and objectives for your penetration test. This includes the systems being tested, the penetration testing services that will be used, and the type of test that will occur.
You will also need to prepare any documentation to provide to your tester unless you’re using a blind test methodology.
Step 2. Scanning
The next step is one for your tester. Just like any real hacker, the tester should study your systems to understand their design and to locate the areas of least resistance before planning an attack.
Typically the tester will inspect your application code to understand how it runs, as well as the application itself to understand how it performs in real-time and where any weak points may be.
The tester might also use an open-source pen-testing tool such as NMAP to scan your network in search of vulnerabilities such as open ports.
Step 3. Attempt to Gain Access
Once your tester has a good understanding of where your organization’s weakest defenses are, the next step is to gain access by using tools such as an SQL injection, a back door, or cross-site scripting, to gain access to your systems or network.
In a real-life scenario, this stage would then likely be followed by intercepting traffic, stealing data, or disrupting the system.
Step 4. Maintain Access
The extent of the damage a hacker can do to a system depends almost entirely on how long he or she can maintain access to a system.
If the attacker can maintain a presence without eventually being discovered and removed by security tool functionality, serious damage can ensue. In a real-life scenario, we would refer to this as an advanced persistent threat (APTs).
APTs are characterized as a malicious presence maintained for months, where virtually unlimited access to a variety of IoT devices on a single network can result in massive amounts of sensitive data stolen — and often disastrous consequences for the organization.
The pen tester won’t do that, of course. But the tester will try to maintain access for as long as possible, to see how your security tools work to identify and remove the simulated threat.
Step 5. Post-Mortem Analysis
In this final step, your tester(s) will share his or her findings. That will typically be a detailed report, which will include:
- The specific vulnerabilities that were discovered and exploited
- How access was achieved
- What sensitive data was compromised
- The length of time the tester was able to maintain access to your systems
What’s the Difference Between a Hacker and a Pen Tester?
A pen tester (or an “ethical hacker”) is hired by an organization to attempt to hack it, so the organization can improve its security posture.
A hacker, on the other hand, is a criminal who obtains access to an organization’s private network or information systems without permission; with the intent to steal sensitive data, disrupt the system, or otherwise benefit from the intrusion.
What Are the Different Types of Penetration Testing Methods?
Pen tests can be done in a variety of ways.
Type 1: Internal Penetration Testing
Through internal pen testing, an organization would permit ethical hacking to be done from within the organization to simulate scenarios that might occur with a malicious insider. It can also simulate a scenario where an employee’s login credentials were stolen.
Type 2: External Penetration Testing
External security testing happens from the outside, and attempts to retrieve valuable, sensitive data by means of security weaknesses. This could be an employee who uses an insecure wireless network, which the hacker exploits to obtain access to the target system.
Type 3: Single-Blind Penetration Testing
In a single-blind testing methodology, the testing team or person is simply given the name of the business that’s being targeted with no other information. This is also sometimes called black-box or closed-box testing.
The testers are then expected to do their own vulnerability assessment and find the best means possible to attempt a breach.
This gives IT security professionals real-time insight into their security posture and any vulnerabilities that exist within their network infrastructure.
Type 4: Double-Blind Penetration Testing
Conversely, in a double-blind simulated attack, neither the security team nor the ethical hacker has prior knowledge about the attack: not when, how, or by what means the attack will occur.
This provides valuable real-world experience and limits an organization’s ability to potentially reinforce its security measures before the test.
Type 5: Targeted ‘White Box’ Testing
In this scenario, both the tester and security personnel work together to go through the motions of a simulated attack. The tester is given access to credentials to access operating systems and network maps, and will remain in contact with the security team throughout the exercise.
This is a valuable exercise for the security experts as it will give them first-hand experience of how an attack occurs.
Penetration Testing and Compliance Requirements
Pen testing is a requirement for some compliance frameworks including PCI DSS, ISO 27001, and SOC 2, as it can provide valuable insight that your organization can use to improve its security controls and apply mitigation to previously unknown vulnerabilities.
Understanding your vulnerabilities, however, is only the beginning. Your compliance or cybersecurity program must then undergo ongoing maintenance and review to assure that it remains effective over time and is updated to address new, emerging risks.
ZenGRC is a governance, risk management, and compliance tool that offers a variety of solutions to fit your needs. As an automated tool, it facilitates the documentation and workflows involved in risk assessment, penetration testing, mitigation, and incident response efforts.
As a compliance tool, ZenGRC can also trace your security stance across all your relevant frameworks, helping you to map controls to multiple frameworks to save time and eliminate duplicate work or documentation.
As a governance solution, it provides real-time insight into your evolving security requirements, showing you where your gaps are and what’s needed to fill them.
To see how ZenGRC can improve your cybersecurity strategies, and help facilitate penetration testing requirements, schedule a free demo today.