Penetration Testing
or Pentesting is a legal software attack on a software system which is carried
out in order to uncover potential security weaknesses eventually gaining access
to the data and features. Penetration testing can be described, executed and marketed
in a lot many ways. It is often confused as a vulnerability scan, security
assessment or a compliance audit. However, penetration testing stands apart
from all in the following ways:
-
A penetration test is not
over after detecting vulnerabilities. It proceeds forward to the next step to
exploit the vulnerability to establish the attack vectors against the company’s
data and assets.
-
The focus of penetration testing
is on the team or individual testers and the experience they bring into
practice. This is because even the most sophisticated technologies are
vulnerable to the free thinking human mind which can analyze and synthesize, is
capable of thinking more laterally and is driven by an unfading motive and
determination.
-
A penetration testing is
designed to evaluate effectiveness of the implemented security controls against
a skilled human attacker. An organization with a 100% compliance may still be
vulnerable against a human threat in the real world.
-
A penetration testing
explores multiple attack vectors against the same target. Most of the
successful compromises are generally the combination of vulnerabilities and information
across different systems.
There are many
reasons for conducting penetration testing. The nature and scope of penetration
testing is mainly dependant on the driving force of the organization, which in
turn determines the goals of testing. This driving force also influences the
other factors such as scope, target selection, assumptions as well as the
budget amount allocated for the test.
Considerations for the Penetration Testing
-
Scope:
For the purpose of testing it is very important what is to be scoped in and
what should be scoped out of the target environment. Before test initiation, IP
address ranges, external URLs and application should be clearly defined.
Additional scope considerations include the acceptable level of social
engineering interactions, physical access of tangible resources, etc. In order to focus efforts on high value
assets, the defined scope should always be prioritized. Limiting the scope
increases the effort of testing in the
most important areas of the organization. It is important to maintain a balance
in scope definition. If it is too broad, efforts may go stray and if it is too
narrow, the testers may not get enough flexibility to explore all possible
paths of exploitation.
-
The
testing approach: The testing approach can
be white box or black box. There are pros and cons of both these testing
approaches. In case of the white box testing, less time and money is required
for the identification of the tests and more can be invested in the actual
exploitation process. However, it runs a potential risk of underestimating
inside attackers and leaves them one step closer to the internal environment. On
the other hand, the black box approach provides a better real life perspective
of the system from the attacker’s point of view. It forces the hacker to spend
time and effort in obtaining internal unauthorized information. This provides a
good intel for the organization about potential breaches and enables them to
take protective steps.
-
Objectives:
Establishing the goals and objectives of
the test is very important along with the scope. It helps to produce a report
addressing the goals. Any objective of priority should be explicitly addressed
in the goals. However, it should be taken into account that not all goals can
be achieved despite repeated attempts. This is a positive outcome as this ensures that the security stands tall.
Conclusion
