Tech Tuesday – What is Penetration Testing and Why Is It Used
6 December 2016 |
Adrian Nelson | About a 7 minute read
Penetration testing is the process of scanning an IT network for possible vulnerabilities and then manually doing some ethical hacking to try and exploit and expose these vulnerabilities and to come up with recommendations and solutions to protect against malicious users exploiting these vulnerabilities. Someone conducting a penetration test is usually experienced in finding weaknesses in IT systems and exploiting them and will generally have the same tools at their disposal that a real hacker could use. Typically the Penetration tests will be arranged and carried out at an agreed upon time on an agreed upon system.
Penetration testing is useful for a company safeguarding its IT systems against attacks from malicious users. A user comprising an IT system could lead to significant financial or legal impact, loss of data, negative media attention and damage to a company’s reputation. Penetration testing is more useful than just using automated vulnerability scanning software as an experienced pen tester will use more ingenuity and guile that an automated system will be capable of doing like combining different lower risk vulnerabilities to create a high impact attack.
Famous Data Security Breaches
Here are some examples of famous security breaches that have happened which illustrate the damage that can be caused by not properly securing your IT infrastructure:
Sony PlayStation Network – A very famous attack happened to Sony’s PlayStation Network in 2011. This one actually affected me and I was very upset with the network being down and not being able to play online games at the time. It was said to be a very organised and sophisticated attack but it is still surprising that a company like Sony that prides itself on its technical expertise were able to succumb to such an attack. Millions of credit card details may have been stolen along with, names, passwords logins and other sensitive data and Sony said that the outage costs were $171 million.
Heartland Payment Systems – One of the biggest Security breaches ever happen to Heartland Payment Systems (a payment processing and technology provider) in 2009. 130 million card numbers were stolen and lost $12.6 million from the attack including legal fees. This was achieved in a large part through SQL injection which is a commonly checked for vulnerability while penetration testing.
Ashley Madison – Another famous security breach happened to Ashley Madison last year. Ashley Madison is an online dating service promoted to people who are married and in relationships looking to have affairs. So it is a service where discretion is at the utmost importance. The attackers managed to gain access to and then leak information of the customers of the Ashley Madison. This severely damaged Ashley Madison’s reputation and some of their customers were blackmailed and publicly shamed. Ashley Madison had a weak method of encrypting data that was exploited and had bad security practises of containing authentication tokens and credentials in the source code. Once again good penetration testing could have uncovered both these flaws and prevented this from occurring.
Different types of Penetration Test Methods
Black Box Penetration Testing – In this type of test, the testers will not be given previous information regarding the target system that they will be evaluating such as things like the credentials, architectural diagrams and information about servers. This situation is the most ‘life like’ scenario as a real attacker will likely also be uninformed about the system they will be attacking. However it can also mean that the penetration test might not be as thorough as it could have been due to parts of the system remain untested. It is also harder to maximise time and efficiency as time can be wasted testing aspects of the system that are already very secure.
White Box Penetration Testing – In this type of test, the testers will have access to full information about the target system or as much information as they need. This can include credentials, knowledge of the servers and devices on the network, access to source code and information on system architecture among other things. This will means that every aspect of the system can be tested thoroughly and a more thorough evaluation can be done. Time can be used more efficiently as the testing team can easily figure out what looks to secure and what looks weak and spend more time evaluating the weaker aspects of the system. This approach is quite unrealistic in the real world because most attacks will come from people would won’t have anywhere near this kind of information.
Grey Box Penetration Testing – This type of test lies in-between between black box and white box testing. So the testers will be privy to some information about the target system but not all of it. So this could include any information mentioned in the white box testing, there is no strict definition of what needs to be provided so this will vary from case to case. An advantage of this approach is that it can better mimic a disgruntled employee or some other form of internal attack and in that respect is often closer to a real life scenario than white box testing. Black box penetration testing can spend a lot of time just trying to bypass a secure login page, if a tester has these credentials, they can get a lot further with their investigation and as a result do a better evaluation. Although it is not as comprehensive as white box testing it can more cost effective test, as it will cover more of the aspects that might be available to an attacker and ignore the parts that aren’t. Each approach has its strengths and weakness and different business will chose the ones or combination of tests that best suits their needs.
Penetration Tests Steps
There are many different ways to define the steps in penetration testing. Here are some of the more common ones:
This step is about learning various things about the target system such as: how the target business operates information about the network it uses what machines are connected to the network user accounts and network resources
Planning & Analysis:
This step is about structuring and planning the tests to best utilise the resources you have available and the time frame you have available
Vulnerability Detection: generally done using some kind of vulnerability scanning software to detect for vulnerabilities in a system based on a database of possible flaws.
This step involves attempting to exploit any vulnerability found using ethical hacking techniques similar to what a malicious attacker would do.
Report & Analysis:
Finally, this step is about creating a report showing what vulnerabilities have been found and given them some kind of rating of what the potential impact on the company could be along with suggestions about what to do about any vulnerabilities discovered.
Further Penetration Testing Techniques
Penetration testing doesn’t have to purely be I.T based ethical hacking. It can also involve things like social engineering and dumpster diving. Tricking people into disclosing confidential information is often a key factor in security breaches. Hackers will often masquerade as credible users to obtain useful information from employees, which allows them access into a system. It is useful for a pen tester to emulate this behaviour and see how the organisation reacts and to report on these findings so the organization knows whether or not it needs to better educate their staff and put better policies in place to prevent this from being successful. Searching through a company’s rubbish can also yield important information such as user credentials. So similarly it can be useful to for a pen tester to try and see if they can finding any useful documents that haven’t been disposed of properly and report back on their findings. IT breaches can have a huge impact as mentioned earlier so it is best the to be thorough when testing and check as many avenues for potential breaches as possible.
Senior Full Stack Developer (London)
Champion software quality and technical vision for AND and our clients, work on large-scale projects and help junior and mid developers grow in their roles.I'm Interested
Full Stack Developer (London)
Put your development expertise to work, building remarkable, digital products in Agile environments using a variety of languages and frameworks.I'm Interested
Tech Lead (Reading)
Bring your expert tech knowledge to the table to influence the direction of projects, whilst coaching and your team through engineering best practices.I'm Interested