Penetration Testing

Cyber-attacks can be carried out against almost all components of the IT landscape – including network, operating systems and databases, servers, applications, APIs, cloud setup etc. Risks and threats are prevalent in all components of an information system. Penetration testing types have, hence, been devised to suitably test these different components.

Pen testing cannot be one-size-fits-all; it must be customised according to a business’ IT environment, its testing strategy and risk assessment, lifecycle of its systems, and considering any applicable laws and regulations.

Read about the different types of penetration testing here>>

Vulnerability assessment or scan involves scanning of a system or component using an automated testing tool. The purpose is to identify if known vulnerabilities exist in the system that could possibly be exploited by a hacker. The tool reports the weaknesses found and grades them in terms of severity, however, this is usually indicative and requires in depth analysis of the vulnerabilities by an expert penetration tester. Scanning tools are also likely to report a few false positives, or on the other hand, not capture all vulnerabilities that exist.

Penetration testing involves going a step further and testing whether the identified vulnerabilities can be exploited to gain unauthorised access or cause harm to a system, and to what degree. This requires manual analysis and exploitation methods. With penetration testing additional vulnerabilities than those reported by a scanning tool may be uncovered.

At a minimum, penetration testing should be carried out whenever a new system or application is rolled out, or when an upgrade or modification is implemented on any component of your IT environment. The latter is a requirement if your organisation needs to be compliant with PCI DSS standard.

Ideally, periodical penetration testing should be made a part of your organisation’s IT security strategy. It is highly recommended that pen testing of critical systems be carried out every 6 months which goes a long way to ensure that these are secured against constantly evolving threats, and that the systems do not develop any new inherent vulnerabilities.

Depending on the amount of information about the target system shared with a pen tester, there are three different styles of penetration testing.

White box penetration testing:

In white box penetration testing, all information relevant to the target system is shared with the tester. This includes details like application credentials, user roles, network diagram, systems architecture, server information and more. The style of testing simulates an “inside job”, that is, to determine the extent of exploitation and damage possible if an attacker had access to sensitive systems information. White box pen testing is usually targeted towards a specific component where maximum number of attack vectors could be simulated.

Black box penetration testing:

In black box penetration testing, the tester has no knowledge about the target system prior to beginning the test. The tester approaches the system as an “outsider” or “real hacker” with no details about what the application entails, network and architecture, other connected systems like databases etc. This style of testing helps to determine the degree of penetration and exploitation for an unprivileged attacker.

Grey box penetration testing:

In grey box penetration testing, limited information about the target system is provided to the tester. In most cases, this would include user credentials. The purpose of this style of testing is to determine the level of access available to a privileged user and the degree of damage that could be caused by someone has got their hands on some limited information.

A penetration testing partner is bound to provide a report about the vulnerabilities identified and exploited in the pen testing activity. The report generally contains executive summary, high level overview of the assessment activity, threats uncovered and risk rating – for management consumption. Strategic recommendations are included to assist business leaders in making informed decisions. Further, the report contains a list of technical findings complete with details for reproducing the issues, recommended remediation actions and useful reference articles.