Penetration testing, or pen testing as it is popularly called, is a critical component of any Threat Management Solution. It is now increasingly accepted as an effective method of detecting vulnerabilities in your network, applications and infrastructure. In a pen test, the tester deploys various malicious methodologies to deliberately attack your system, in order to proactively identify security vulnerabilities. Pen tests expose the flaws in your software coding and hardware configurations, with the end objective being to test if the attacker can gain access to sensitive information and compromise your data and functioning. The uncovered vulnerabilities are then assessed for potential impact on the organization, and can be fixed accordingly.
Pen tests are implemented across different areas:
- Social engineering pen testing: testing if employees adhere to security standards and policies (most security weaknesses arise from human errors).
- Application security testing: testing an organization’s website, and internal or externally hosted applications for vulnerabilities in code or design flaws.
- Network penetration testing: testing the obvious entry points that allow a hacker to access the network, such as perimeter of the infrastructure, firewalls, router, switches, and so on.
- Mobile security testing: testing the mobile environment in an organization to secure the risks associated with multiple vulnerabilities in different platforms (Android, iOS, Windows8, Blackberry).
If you are thinking of implementing a pen test, here are some best practices to keep in mind:
- Define the scope of the pen test: the boundaries, the objectives, and most importantly, the success criteria (what will constitute a vulnerability?).
- Choose the appropriate set of tests: a good mix of manual and automated testing will yield the most useful results.
- Define your criteria for selecting the penetration tool: ideally, the tool should be easy to deploy and configure. It should categorize your vulnerabilities based on severity, and automate verification of vulnerabilities.
- Define the result criteria: a pen test is only as good as the result that it generates. Look for results that help you take decisions on the security of your system.
- Ensure that the tester gathers exhaustive information: information about the infrastructure and the applications that he is testing, so that he can have a comprehensive understanding of the underlying technology.
- Check if your tester has a structure a place: the most effective pen tests are based on a series of methodical and repeatable attacks that test all possible vulnerabilities of the application.
- Encourage your tester to exploit all discovered vulnerabilities: this will help them get a good understanding of the vulnerability of the entire network, not just individual weaknesses.
Top Tip: Need help planning a pen test? You can use the checklist of vulnerabilities in the Open Source Security Testing Methodology Manual (OSSTMM) by Pete Herzog, a manual that sets the standard for Internet security testing. Or look for more information from the Open Web Application Security Project (OWASP), an open-source community project that develops knowledge-based documentation on Web application security.
Expert testers are aware that a pen test is not simply a list of finite tests to use, for there is no such thing as a foolproof pen test checklist. While it is important to base your pen test on a comprehensive checklist, remember that a tester who relies exclusively on checklists is probably not an expert. A checklist should define the minimum level of testing required, not set the limits for testing. Only a comprehensive understanding and analysis of the whole system – infrastructure, network, applications, and resources—will lead to an accurate assessment of vulnerabilities and their impact.
It is a bit like studying for an assessment—you can browse sample test papers and previous years’ question papers to figure out the answers, but if you don’t have an understanding of the basic study material, then you miss the point of your whole education.
Manoj Rai has around 14 years of IT experience in Enterprise Applications, Mobile and Infrastructure security. Has rich and diverse global experience in leading large engagements and building deep technology expertise in security testing domain.
Manoj is a Bachelor of Engineering in Computer Science with MBA in Systems and Executive Delivery Program from IIM-Bangalore. A regular speaker on various technical subjects like Ethical Hacking, Mobile security, Secure SDLC and Cloud Security areas in CISO platforms, OWASP, BLUG, NULL etc. Has been a regular blogger and has published white papers on threat management and best practices in various social groups.