If you have been tossing in sleep worrying over data threats and breaches, the thought of penetration testing has definitely crossed your mind or bumped your way by now. But do you really know the what’s and how’s of penetration testing, or is it just the buzzword that’s caught a fair bit of your attention. Are you aware on how exactly a Penetration Test fits into your Information Security program?
Penetration testing provides an in-depth threat and vulnerability analysis of your system. As an elaborate exercise, there are certain assessments and understanding that need to be clarified before getting on to it. Pen-tests, or as they are more commonly called, come in three variations:
- External Pen Test – This covers publicly exposed systems and tests from the perspective of an external hacker. Yes, more than you know, it is possible for hackers to access internal systems and data from the Internet, breaching firewalls.
- Internal Pen Test –This focuses on internally connected systems. It can be a case on an internal attacker or an internal system remotely being used by an external attacker. The danger addressed here is the exposure of internal assets without the perimeter defenses.
- Hybrid Pen Test – Data attacks these days have become more sophisticated and complex. A hybrid pen test looks at not only internal or external, but a mix of attacks from local and remote vector.
It is important to note that Pen-Testing is very different from Vulnerability Scanning or an Internal Security Assessment. Vulnerability scanning simply looks at identifying vulnerabilities using automated tools and Internal Security Assessment is an intensive audit of the existing security paraphernalia. Pen-Testing on the other hand is a real time simulation of a realistic scenario with real experts. Instead of just looking for potential vulnerabilities, Pen-Test gets closer to reality with ethical hacking.
What does a Penetration Test address – the acid test of the effectiveness of your security system. It helps you uncover:
- How well protected is your network and information infrastructure
- How trustworthy are your current security solutions and intrusion prevention systems
- The most probable risks in your business
- Suggestions to improve the security and protection systems, and minimize risks
How to do penetration testing – A Pen Test exercise can be carried out based on three different methodologies:
Black Box Testing: This approach typicallycorrelates to external penetration testing, where hackers access the network infrastructure without a view into internal technologies. As the name suggests, this testing shoots into a dark room from an outsider’s perspective. This is advisable for evaluating IT department response and countermeasures against a breach attack.
White Box Testing: This relates with internal penetration testing where auditors are given full visibility into internal technologies and internal infrastructure. This is a thorough level of testing that requires full cooperation of the internal security teams with the audit team.
Gray Box Testing: Evolved as a mix and balance of Black Box and White Box testing where auditors have limited knowledge of internal infrastructure. This approach supplements a Black Box test to reveal vulnerabilities and identify weaknesses. It lets the auditor get a dual perspective of an external attack as well as any internal illegitimate threat.
Each of these three approaches have pros and cons. While the White Box approach is more comprehensive, it is sort of removed from real-world attacks. On the other hand, the Black Box approach is less complex and less comprehensive. As a mix of the two, the Gray Box approach seems to work better logically, but every company needs to choose the most appropriate approach based on specific business needs and compulsions.
Now the final question that remains is, when is the right time to do a Pen Test? This is a relative aspect and it varies from business to business, team to team, application to application. There are various aspects to keep in mind when deciding on the right time for pen testing. More on that coming up soon….
Manoj Rai has around 14 years of IT experience in Enterprise Applications, Mobile and Infrastructure security. Has rich and diverse global experience in leading large engagements and building deep technology expertise in security testing domain.
Manoj is a Bachelor of Engineering in Computer Science with MBA in Systems and Executive Delivery Program from IIM-Bangalore. A regular speaker on various technical subjects like Ethical Hacking, Mobile security, Secure SDLC and Cloud Security areas in CISO platforms, OWASP, BLUG, NULL etc. Has been a regular blogger and has published white papers on threat management and best practices in various social groups.
