Penetration testing is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system. It verifies the extent to which a system, device or process resists active attempts to compromise its security.
Before delving deeper into the definition, let’s borrow an example from a parallel world. One of the common practices in the military is called a military exercise or war games. A military exercise or war game is the employment of military resources in training for military operations. It serves the purpose of ensuring the combat readiness of the deployable forces prior to deployment from a home base. It focuses on the simulation of real, full-scale military operations in controlled hostile conditions in attempts to reproduce war time decisions and activities for training purposes or to analyze the outcome of possible war time decisions.
Like a war game, one of the core properties of penetration testing is simulation. The core purpose of penetration testing is to generate knowledge. What kind of knowledge does a penetration test generate ? It generates information about the weak links in an organization’s cyber security defenses.
Think of penetration testing as a cyber attack simulation by a trusted security expert with the intention to discover weak areas in the system.
The results of penetration testing gives an indication about the robustness of the system. It helps to preempt the holes in the system that an intruder with malicious intent can look to exploit.
To summarize, the following properties define a penetration test:
- Authorization: It is an authorized cyberattack.
- Trusted insider: The test is carried out by a trusted expert from within the organization.
- Simulation: It is an act of imitation of a potential exploitation of security loopholes.
- Evaluation: The exercise evaluates overall security of the system.
Colloquially, the penetration testing is also known as a pen test or ethical hacking,
What is the primary purpose of penetration testing?
Penetration tests play an important role in strengthening cyber resilience of the organization.
What really is cyber resilience?
The abstract notion of resilience relates to one of the best qualities we associate with members of the human species— our ability to succeed in the face of adversity. But how exactly does it apply to cybersecurity?
The backdrop of thinking about cyber-resilience is this- our enterprise networks contain large amounts of insecure software (and hardware) and lots of imperfect human beings– entities that fail at a fairly high frequency from a security standpoint. The enterprise attack surface is vast, constantly growing and poorly understood, and the threat landscape is constantly evolving. The objective of security teams is to implement mitigations that give us a cyber-resilient enterprise on top of insecure components. In summary, cyber-resilience is the ability of an enterprise to limit the impact of security incidents.
And how does penetration tests help in building an organization’s cyber resilience?
Penetration testing can be seen as a useful periodic add-on that can test for weaknesses using the same techniques typically leveraged by attackers. It can involve the complex simulation of cyber attacks in an organization’s threat surface area e.g. attempting to breach different application systems, (e.g. via the frontend, or via the APIs) to detect security flaws. By creating the previously unknown knowledge about the vulnerabilities, it gives the organization an opportunity to patch the vulnerable software and to fix any misconfigurations.
Repeated pen tests should be planned only after you have done the basics. The basics of the vulnerability management process includes the following stages:
Discovery: Comprehensive and accurate asset inventory is a core capability that is required to discover all potential vulnerabilities.
Prioritization: With hundreds or thousands of vulnerabilities, it’s important to effectively prioritize remediation to ensure your security team isn’t racing to address issues that pose little or no real risk to your business-critical assets.
Response: After you’ve identified the vulnerabilities that exist across your systems, it’s important to evaluate the risks they pose and determine how to effectively manage them.
In absence of the basic vulnerability management process, the output of the pen test will just tell you something not quite favorable: your enterprise is wide open.
Due to the common perception that pen tests will disrupt the business and because of underlying cost considerations, the pen tests are often limited in scope.
Benefits of penetration testing
Penetration test phases:
- Before attack –
- Reconnaissance: The act of gathering important information on a target system. This information can be used to better attack the target. This phase helps set the goals for the attack simulation.
- During attack –
- Scanning: Uses tools to further the attacker’s knowledge of the system. This phase helps the attacker identify vulnerable parts of the system.
- Gaining access: Using the data gathered in the reconnaissance and scanning phases, the attacker can gain access and exploit the targeted system.
- After the attack –
- Maintaining access: Maintaining access requires taking the steps involved in being able to be persistently within the target environment in order to gather as much data and cause as much damage as possible.
- Covering tracks: In the phase, the attacker clears any trace of compromising the victim system, any type of data gathered, log events, in order to remain anonymous.
- Preparing reports: The attacker leverages the vulnerability knowledge created in the previous steps to prepare recommendations on upgrading the defense mechanisms.
Key quotes on penetration testing:
- “A good test case is a test case that has a high probability of detecting an undiscovered error, not a test case that shows that the program works correctly.” – Glenford Myers
- “Pen testing is an art and a science that must not only seek our weakness within a system, but must help to understand the sinister nature of hackers who, for example, see a SQL opportunity where the rest of us merely see a contact us form.” – Steve Prentice