Required by most IT Security standards, a penetration test is an engagement where the quailified IT Security professional mimics real-world cyber attacks against an organization in ordre to identify methods to circumvent security features of a system, application, or network. It involves the use of tools and techniques commonly used by hackers to gain access to an organization , and entails assessing a wide variety of technical vulnerabilties or misconfigurations.
Penetration testing is used for assessing:
- How well networks and systems tolerate a simulated real world attack
- The level of sophistication required to successfully compromise a system
- Additional countermeasures required to mitigate discovered threats against a system
- The organization’s ability to detect and appropriatly respond to cyber attacks
The penetration exercise is very labor intensive and requires specialized skills to minimize risks to targeted systems. While creating a Denial of Service scnario is normally out of scope for a penetration test engagement, there is always a risk that systems may be damaged or rendered unavailable during the course of the penetration test. Therefore, penetration testing should only be performed by skilled professionals and with adequate planning.
True and complete risk based penetration testing processes may include non-technical attack methods, and may be conducted with full, little, or no knowledge of the target. Last, if internal and external testing is to be performed, the external testing usually occurs first.
Penetration Testing Phases
The Baker Business Center has adopted NIST standard 800-15 and our penetration testing engagements incorporate four distinct phases:
- Planning Phase: In the planning phase, the rules of engagement are identified, testing goals are set, and management approval is finalized in contract. No actual testing occurs in this phase.
- Discovery Phase: The discovery phase covers information gathering and scanning to identify protocols, ports, services, technologies/versions in use on the targeted network, and vulnerability identification. This phase takes time, and manual processes are often used during this phase as automated scanners may miss new or obscure security issues such as misconfigurations, kernel flaws, buffer overflow or input validation issues, or incorrect permissions.
- Attack Phase: The attack phase is where the magic happens. This is where the penetration tester attemps to exploit identified vulnerabilities in order to gain a foothold into the organization. Depending on the rules of engagement, If the penetration tester is able to exploit a vulnerability, they may install additional tools on the exploited system or network to facilitate the testing process. These tools are used to gain access to additional systems or resources on the network, and obtain access to information about the network or organization.
- Reporting Phase: When testing is concluded, a report is issued that provides the organization with a list of discovered weaknesses and risk ratings. This report also provides the organization with guidance on how to mitigate the documented risks.