Penetration testing, or pen testing, involves testing a system or systems for weaknesses. It’s purpose is to simulate a real attack on the systems to determine areas which need improvement. The systems can be physical, a physical computer, or procedural, how a specific task is performed. For instance, you might have a Linux server running the Apache webserver. Since this resource is publicly accessible, it’s reasonable to assume a malicious actor would try to gain access to it. While everyone should get important systems tested, it may not make sense.
Who is this for?
Penetration testing is mostly for larger organizations. These organizations typically have more assets which need to be protected and can justify spending more time and money determining if their systems are sound. In an ideal world, every organization should have one done on key system. In the real world, it’s cost prohibitive to get a system tested. Also, the system may not protect valuable company assets.
How are Penetration Tests conducted?
Typically an organization will hire an individual or a company to perform the pen test. The organization wanting the test done will give the tester items in the scope. The scope simply lists all possible targets for the pen tester. For instance, a pen test may only put the physical systems in scope and not the organization’s employees. This is done to only test a specific area of a system.
Testers will use a variety of tools to gain access to systems. A popular tool is Kali Linux which is a Linux distribution specifically built for penetration testing. The tools used will vary depending on what’s in the scope of the test. Sometimes they may even use employees to gain access to systems.
The Life Cycle
A penetration test typically follows 5 phases.
- Reconnaissance – In this phase the tester is looking for basic information about the organization. This could include public records of where they are located as well as public facing systems such as their website.
- Scanning – During this phase, the pen tester will use information found in phase one to determine an area of weakness. A common method is to use nmap to scan for open ports and determine what software is being run behind that port.
- Exploitation – In this phase, the tester will using information gathered in the scanning phase and exploit weaknesses in systems the organization is using. The tester will typically exfiltrate information to prove they gained access to the system or systems.
- Maintaining access – This phase is often overlooked. This is when the tester will ensure they can get back into the system once initial access is gained. The initial access may be janky and not work perfectly every time. Adding one or more reliable ways to access the system is important and what takes place during this step.
- Reporting – This phase is the most important as it’s what the company is really paying for. Sure it’s fun to break into systems but the report is what matters to the company.
- External Testing – In an external test, the tester will attack an organization from the outside. Typically outside is defined as the public side of the organization’s firewall. The tester’s primary target would be public facing systems such as the website and webserver as well as the DNS server.
- Internal testing – During an internal test, the tester will have information a typical employee will have and tests systems only the organization utilizes. An example of this is
- Blind testing – During this test, the tester only knows the name of the company and that’s all. This simulates what malicious actors would have access to when they are targeting a business.
While penetration testing is important, it may not be viable for all organizations. If you have important systems which protect company assets, it’s a good idea to get a pen test done. Typically you and the tester will discuss what systems are in scope to test specific areas of those systems. There are different testing methods but they all follow the pen testing life cycle. External testing is the most common as this simulates an outside attacker with limited knowledge. The report phase is the most important of the 5 phases. This will give your organization insight into how the tester broke into your systems. The report will also give remediation suggestions.