Penetration testing - you’ve heard the term before. Maybe it came from upper management, a consulting company, or just something that a security contact mentioned in passing. Maybe you’ve had a penetration test performed against one of your applications or networks to probe for vulnerabilities and exploit them (we’ll get to that later).
Regardless, it’s something we should all educate ourselves about and consider as a strategy to improve overall security posture and practice proactive security defense. More and more companies are offering penetration testing as a service. We will lay out the basics to develop a better understanding of the penetration testing process, why you need it, when it's required, and what the final outcome and deliverable will be.
What is penetration testing?
Penetration testing (pentesting) is the process of assessing a company’s technological environment with the intention to uncover security vulnerabilities and exploit them as proof of concepts. This is a popular type of security assessment performed to uncover flaws and weaknesses within a network or application. The main idea is to replicate what a potential malicious actor could accomplish by discovering and remediating flaws within an authorized and safe context before real repercussions occur if a hacker were to exploit them.
Penetration tests can occur on all types of environments and targets including network infrastructure (external or internal), web application, API, cloud, mobile app, Internet of Things (IoT) devices, wireless assessments and more.
The different types of penetration tests (pentests) include:
- Black Box: A pentest that is performed on a scope with little to no prior knowledge about the targets being assessed.
- Gray Box: A pentest that is performed where the tester has a moderate level of knowledge about the targets, network or infrastructure which may be on par with a typical end-user.
- White Box: A pentest that is performed where the tester has full knowledge about the target scope. This can include source code, architecture diagrams, access to high and low privileged accounts, back-end information, etc.
When to Perform a Pentest
Have you made a major update to your application? Were there some new frameworks or modules installed? Do you manage Personally Identifiable Information (PII) or Payment Card Industry (PCI) data? These are all valid reasons to get a penetration test, and sometimes it may even be mandatory.
Penetration tests occur for a large variety of reasons. In most situations, it is often recommended to perform a pentest bi-annually or even quarterly in order to uncover and understand potentially new vulnerabilities which have been introduced and exposed within the changes being made over time. There are also compliance regulations such as PCI Data Security Standards (DSS) which make penetration testing mandatory to ensure that client credit card and PII data is secure at rest, in transit, and is inaccessible from external attackers.
Some common reasons to perform a penetration test include:
- Major application changes or updates: Anytime a major change is pushed to an application, new lines of code and features are introduced which have yet to be tested to determine if they are secure or not. It is always highly recommended to perform a pentest upon these major changes since you could be introducing new gaping holes into a feature or function just waiting to be exploited by an outside attacker.
- Compliance requirements: PCI DSS compliance is one example which requires a penetration test every 6 months or upon any major system changes. In some cases, insufficient testing can result in financial fines if a breach were to occur. SOX (the Sarbanes–Oxley Act of 2002) and HIPAA (the Health Insurance Portability and Accountability Act) are two more compliance regulation mandates that require and/or encourage security assessments. The Personal Information Protection and Electronic Documents Act (PIPEDA) is a similar data protection act which mandates safe security and management of Canadian’ PII data and recommends ongoing security assessments. General Data Protection Regulation (GDRP) in Europe also recommends regular security assessments of applications and network infrastructure.
- Recent breach or exploit occurred: The first thing a company will do after withstanding a security breach is hire a third-party penetration testing team to perform a full-blown pentest on the vulnerable application or infrastructure which was exploited by attackers. This is the worst reason and time to order a pentest, however it frequently happens time and time again because a company failed to proactively protect themselves.
- Determining risk: A penetration test can help an organization understand what their security posture and risk exposure looks like as well as the attack surface exposed to a typical end-user within the network or to an outside user. It can also be very beneficial to test the effectiveness of the current security implementations – maybe a new Antivirus solution or firewall has been configured which have yet to be tested. Either way, it’s a great look at security preparedness across an organization and a proactive method at concealing potential flaws before they are exposed.
Outcome and Deliverables
Penetration testers come with all types of backgrounds and educations, but they are always trained with a thorough technical understanding of all types of security vulnerabilities and issues. This includes real-world vulnerabilities and exploitation methods seen across a network or within devices to better understand technology weaknesses and provide an in-depth report with technical and strategic recommendations.
A penetration test report will often include an executive summary for a high-level, overall view of the security assessment performed. The summary may include things like overall risk, security posture, and estimated remediation time. This can also include some positive and negative findings observed during the assessment. Each report will always include a detailed findings section which outlines each individual finding, the risk and impact associated with it, steps to retest or verify it, and recommended remediation including step-by-step details on how to fix the affected issues. These findings will likely be listed in order of ranked risk from critical to low findings. And the wrap-up of the report will often include an appendix section which will identify any remaining details of the assessment such as the scope targeted, tools used, people on the team who were involved, remaining details from the findings, and any additional remaining sections depending on the team.
Do you need it?
Overall, a penetration test is a critical component to assessing your organizations attack surface in exposed applications or networks. It will help shed light on any weaknesses or exposures and identify areas for any positive implementations, which with strong security, can help increase security posture and decrease cyber risk.