What is penetration testing?
A penetration test is an authorized simulated attack performed on a computer system to evaluate its security. Penetration testers use the tools, techniques, and procedures (TTPs) as attackers to find and demonstrate the business impacts of weaknesses in your systems.
Penetration tests simulates a variety of different attacks that could target your organization. A pentest might examine whether a system is secure enough to prevent attacks from authenticated and unauthenticated positions, as well as a range of system roles. With the right scope, a penetration testing can dive into any aspect of a system that you need to assess.
Benefits of penetration testing
Organization has designed their IT infrastructure and critical assets from the start with the aim of stopping and eliminating dangerous security risks. A penetration test will reveal how well you have achieved that aim. Penetration testing supports the following security controls, among others:
- Finding weaknesses / vulnerabilities in infrastructure
- Determining the strength of controls
- Supporting compliance with regulations (e.g., PDPA, PCI DSS, HIPAA, GDPR)
- Providing qualitative and quantitative examples of current security posture and budget priorities for management
Types of Penetration Testing
Depending on the goals of the test, the organization might provide the testers varying degrees of information about, or access to, the target system. In some cases, the penetration testing team sets one approach at the start and sticks with it. Other times, the testing team evolves their strategy as their awareness of the system increases during the pen test. In the industry, we talk about three types of pen tests:
- Black box. The assessment team doesn’t have any information about the the target system. They act as hackers would, probing for any externally exploitable weaknesses.
- Gray box. The team has some knowledge of one or more sets of credentials. They also know about the target’s internal data structures, code, and algorithms. Pen testers might construct test cases based on detailed design documents, such as network diagrams of the target systems.
- White box. For white box testing, team has access to systems and system artifacts: source code, binaries, containers, and sometimes even the servers running the system. White box approaches provide the highest level of assurance in the least amount of time.
Phases of Penetration Testing
Pen testers aim to simulate attacks carried out by motivated adversaries. To do so, they typically follow a plan that includes the following steps:
- Reconnaissance. In this phase we gather as much information about our target as possible from public and private sources to define the attack strategy. Sources include web searches, domain information, social engineering, passive network scanning, etc. These information that we collect helps us to map out the our target’s attack surface and possible exploitable vulnerabilities that they have.
- Scanning. Here we use tools and applications to scan the target system for weaknesses, including open ports, application security issues, and open source vulnerabilities. Our team uses a variety of tools based on what they find during reconnaissance and during the test.
- Gaining access. Attacker motivations vary from stealing, changing, or deleting data to moving funds to simply damaging your business reputation. To perform each test case, assessment team decides on the best tools and techniques to gain access to target system, whether through a vulnerability, such as SQL injection, or through malware, social engineering, or other techniques.
- Maintaining access. Once we gain access to the target system, our simulated attack must remain connected long enough to accomplish the goals: exfiltrating data, modifying it, or abusing functionality. It’s about demonstrating the potential impact.
Why should you let us help you?
Our expert team will analyze your infrastructure and business for weak points that can be exploited by outside sources and help you take preventative and proactive measures so that your business doesn’t have to suffer the long, hard and costly consequences. Not only do we help you fix the actual IT side of the business, we can also educate your employees on how to prevent being social engineered and basics on how to spot most common breach attempts.
The strength in our penetration testing as Sirius Information Technologies comes from our experience in working with many different IT systems in many countries and our expertise concerning numerous IT technologies. Click here to contact us.