What is
penetration
testing?

An analysis of the U.S. National Vulnerability Database, a repository of Common Vulnerabilities and Exposures (CVEs), revealed that more than 18,0000 security vulnerabilities were disclosed in 2021, the most ever recorded. That illustrates the monumental task organizations face in securing their IT systems. Penetration testing can help your organization better manage and minimize its cyber risk.

But what is penetration testing and what does it involve?

Penetration testing—also referred to as pen testing—helps you adopt a proactive security posture. By engaging an in-house or external team to think and act like cyber criminals and evaluate your security environment, you can identify where your defense needs to be improved.

Penetration testing isn't necessarily just about discovering software vulnerabilities. It also probes for:

• Weak passwords
• Misconfigured systems
• Inappropriate access and privileges
• Improper trust relationships
• Lack of segmentation
• Poorly trained users susceptible to phishing attacks

Penetration tests sometimes are confused with vulnerability scans, but there is a big difference. While both tests look for security weaknesses in your IT environment, a vulnerability scan is a high-level automated test that looks for and reports on potential vulnerabilities that are detected. It’s then up to your IT team to investigate further about whether the vulnerability is a real threat or a false positive.

Penetration testing is much more involved and goes deeper by simulating a cyber attack. Analysts actively search for security vulnerabilities and try to exploit them. While automated scanning can be performed during one phase of testing, much of the testing is manual. Verizon focuses on exploitation and post exploitation activities, which include many Tactics, Techniques and Procedures (TTPs) that can only be performed manually. These TTPs will simulate many different ways that an attacker would attempt to gain a foothold in your environment and then perform various lateral movements and privilege escalation attacks to attempt to gain full access to your network. 

As Verizon’s annual Data Breach Investigations Report reveals, cyber crime continues to rise each year and criminals are becoming more sophisticated in their attacks, which is why IT security teams must be hypervigilant against an agile, unpredictable foe.

Penetration tests can help determine the real-world impact of cyber attacks and any security and compliance gaps, including your own IT team's ability to defend.

Without this insight, your IT security team is flying blind, trying to second-guess where vulnerabilities are and how attackers might leverage them.

In practical terms, a preventable incident could cause major financial and reputational damage, including:

• Staff downtime
• Operational outages (e.g., ransomware)
• Customer churn
• Brand damage
• Falling share prices
• Legal costs
• Incident remediation, cleanup and forensic costs

Penetration testing falls into three main categories, or levels of testing: white box, gray box and black box.

With white box testing, an organization shares a great deal of information about its network and system with the tester, and can even include providing credentials or some level of initial access and network diagrams.

The next level, gray box testing (which is the most performed type), involves sharing some information with the tester though not an extensive amount, which primarily involves identifying the systems involved in the scope and network level access. Additionally, if there are any active network prevention systems (not just detection) or network access controls, then the testers systems would be allow-listed so timely and costly evasion techniques are not performed.

And finally, in black box testing, the tester doesn’t receive any information about your network, or allow-listing to in-line prevention systems. Black box penetration testing is designed to more closely simulate a real-world attack, where a threat actor is likely to not have detailed information about your network or system. Typically, this approach is also the most expensive as it involves more time consuming reconnaissance, vulnerability identification as automated tools are not used, evasion techniques, and slower more directed activities.

Additionally, there is a fourth type of assessment called Red Team Operations. This type of assessment is objective-based versus system-based. In other words, it involves attempting to achieve a specific objective covertly as a real sophisticated attacker would versus trying to find all potential vulnerabilities in a subset of systems and attempt various attack paths as you would in a penetration test. Typically, an organization would only have a Red Team Operation performed after it has had various penetration tests performed and completed all the recommended remediation activities from these penetration tests, especially the recommendations around the post-exploitation activities.

Within each category, there are seven types of penetration tests an organization can perform:

• Network service testing assesses the ability of a bad actor to gain access to your system by exploiting vulnerabilities.
• Internal testing looks at what could happen once a threat actor has penetrated your network.
• External testing identifies any internet facing systems and services and any exposed vulnerabilities that could be exploited by an attacker anywhere in the world.
• Wireless network testing explores the potential vulnerabilities associated with all the various devices that are connected to your organization’s Wi-Fi.
• Social engineering and physical penetration testing is aimed at testing your employees to see whether they are adhering to your security policies and procedures.
• Application testing targets your web, thick client, web services, microservices, and types of applications to identify security weaknesses.
• Mobile application testing tests the security of your iOS or Android applications and how they interact with the mobile devices and any external web services.

Now that you know about types of tests you can do, what are the penetration testing steps involved in executing an attack to help identify security vulnerabilities in your environment?

The National Institute of Standards and Technology has identified four phases, or penetration testing steps in its Technical Guide to Information Security Testing and Assessment:

• Planning, which lays the groundwork for performing a penetration test, including setting goals and getting management’s signoff. Additionally, rules of engagement need to be established with all stakeholders as well as a project plan with an associated schedule of activities.
• Discovery, which includes two phases: an information gathering, reconnaissance and scanning phase followed by a vulnerability analysis.
• Attack, which involves executing the cyber attack. This would include various steps which include exploitation and post exploitation activities. Exploitation is not just the traditional running an exploit for a missing security patch, but more focused exploiting of network and domain misconfigurations to gain an initial foothold, which automated tools cannot perform. Additionally, post exploitation activities are performed that illustrate the paths an attacker would take to attempt to compromise the network, which include lateral movements and privilege escalation attacks.
• Reporting, which details findings: security vulnerabilities identified, the likelihood of each occurring, impact and the severity of each finding, and recommendations for mitigating weaknesses.