The simplest definition of a penetration test is: an exercise that aims to determine the efficacy of an IT system’s security measures by simulating a breach by an adversary.
Penetration tests come in various forms, each designed to replicate an attack technique employed by cybercriminals. Tests can be used to stress-test individual systems or combined to form a larger programme of testing that sheds light on latent vulnerabilities across an organisation’s entire digital estate.
So who is penetration testing for, you may be asking. The National Cyber Security Centre recommends that organisations use penetration testing to affirm the robustness of an existing security framework, rather than as an explorative exercise that draws attention to glaring vulnerabilities, and we’d agree. Incorporated into an existing vulnerability management and assessment process, penetration testing is a great way to fine-tune existing security measures and demonstrate a commitment to continuous cyber security posture improvement.
How does Penetration Testing work?
Penetration tests vary widely depending on the system that is under examination, the nature of the attack simulation specified, the degree of system knowledge given to the tester beforehand and whether or not system administrators are given advanced warning.
The degree of system knowledge gifted to testers determines what’s known as the ‘test basis,’ which falls into 3 main categories…
Black Box Testing
In a black box test, the tester is privy to no sensitive information about the system that’s to be subjected to the attack. They have no knowledge of the code in use and are not permitted to use access credentials to gain a footing in the system. This simulates an attack from the perspective of an opportunistic criminal with little to no premeditated plan of action.
Grey Box Testing
Grey box tests grant testers access to the basic level of information that real-world attackers typically gather before initiating an attack. This information might include lower-level end user account credentials, a network map or the email filtering techniques/firewall configurations in place. Because grey box tests skip straight to a more advanced stage of attack, they offer more granular insights into existing vulnerabilities than black box tests.
White Box Testing
Unlike the other forms of testing, we’ve mentioned, where the tester is on the outside of a system looking in, white box testing gifts so much access and system information to the tester that the process becomes more of an internal security audit than a simulated cyber attack. With access to the likes of admin credentials, network diagrams and source code, testers are able to identify weaknesses such as defective code, system misconfigurations, sub-par security practices, logic vulnerabilities and much more.
Types of Penetration Test
Various types of penetration test exist, each focussed on a specific domain or aspect of overall network security posture. These can be operated on a black box, grey box or white box basis, with some of the most common test types listed below.
Network Security Tests
Because corporate networks often house critical business functions, network security tests are one of the most commonly performed penetration tests. Consideration is given to all network infrastructure components, including servers, routers, switches, desktops, firewalls, peripheral devices and more, to expose vulnerabilities and highlight weak security configurations.
Scrutiny of password-protected elements can also fall under the scope of network security tests, with auditing exercises that help determine the quality of passwords in use and the efficacy of authentication protocols.
Web Application Tests
The recent growth in remote working has seen many organisations adopt web applications to enable employee mobility and boost workplace productivity. Sadly, this growth has seen a corresponding rise in threats emanating from web-hosted applications.
A web application test is a complex process that examines web applications, browsers and their various components. Various techniques are used with the ultimate aim of penetrating applications to uncover vulnerabilities in them and underlying components such as databases and source code.
Social Engineering Tests
With most successful cyber breaches traceable to end-user actions, poor cyber threat awareness among staff can represent a huge security vulnerability.
Using manipulative, coercive language typical of phishing scammers, social engineering tests are designed to paint a picture of employee threat awareness and highlight any need for further cyber security training.
Wireless Security Tests
With wireless signals often extending well beyond the confines of business premises, poorly secured wireless networks can provide an easy entry portal for criminals.
Wireless security tests see testers attempt to breach wireless networks via any available pathway or network-connected wireless device, including the likes of printers, scanners, keyboards, mice and Bluetooth devices. A vital component of any security audit, wireless security tests help expose security vulnerabilities and misconfigurations, as well as more pressing dangers such as rogue access points, ‘evil twin’ networks and ‘pineapples.’
Physical Penetration Tests
Physical penetration testing examines the adequacy of an organisation’s physical access controls, such as security gates, CCTV cameras, alarm systems and access control protocols. Physical security and cyber security are intrinsically linked, as an unchallenged intruder could use physical access as a way of gaining easy access to sensitive information, employees and critical infrastructure.
In addition to test exercises that focus on a specific domain of network security, penetration testing can also be used to determine the impact of a particular scenario on overall security posture. Typical scenarios might include a lost or stolen device or an unauthorised device connecting to an organisation’s internal network. Scenario-based tests can be designed to both identify vulnerabilities in security architecture and assess an organisation’s threat detection and response proficiency.
With cyber-attacks on the rise both nationwide and globally, it’s never been more important for organisations of all sizes to verify the effectiveness of their IT security infrastructure. Penetration testing does exactly that, with post-test reporting that draws attention to even the most discreet security deficiencies.
In our next article we’ll explain the ways in which periodic penetration testing could be of great benefit to your organisation.
How do you know your business is secure?
Defence Logic offers several security testing services simulating various types of attacks. These can be combined or undertaken separately as part of a security testing consultation process. Cybercriminals hack devices, steal personal information, send spam, run phishing scans and target bank accounts. It’s a global problem. How do you know your business is secure? Get in touch to find out.