What is a Pen test?

As a society, we do everything in our power to protect our homes from danger. We install security systems, fit fire alarms and make sure the front door is locked when we’re not there.

 

When it comes to protecting our servers and networks, the same level of care should be exercised. Yet despite our best efforts to shield our systems from attack, they still remain vulnerable. And just like professional burglars will always find a way to break into buildings, skilled hackers are relentless when it comes to breaching security systems. And yours is especially susceptible to threat if you’re unaware of how weak your security measures are.

 

One way to combat this issue is by conducting a penetration test, or pen test for short.

 

What is a Pen Test?

 

Penetration testing is the practice of testing a computer system for security risks and is an effective measure for protecting your networks and applications from attack.

 

Pen tests differ from security and compliance audits because they examine the real world effectiveness of your security controls against real life hackers. They can be automated with software applications or performed manually by skilled developers, but typically a pen test will involves a combination of the two.

 

Organisations invest in penetration testing for a number of reasons:

  • To identify vulnerabilities that are difficult or impossible to detect with vulnerability scanning software
  • To test security policy compliance and employee security awareness
  • To recreate an attack chain following a security incident
  • To test how effective existing responses are to security incidents
  • To validate new security controls
  • To provide evidence which supports a request for increased investment in system security

 

How do pen tests work?

 

Rather than just assessing how vulnerable a computer system is, a pen test simulates an attack on a computer system and attempts to exploit its vulnerabilities. By doing so, the possibility of unauthorised access or malicious activity is detected.

 

Once security weaknesses have been uncovered, a report is sent to the owner and a security plan is recommended for future protection.

 

While it may seem ludicrous to instruct someone to invade your servers and networks, the practice of pen testing is essentially ethical hacking. The simulated attack is performed for the greater good of your system security and no sensitive information is lost or stolen in the process. In fact, pen tests are often called white hat attacks because it’s the good guys who are attempting to break in.

 

Generally speaking, after goals have been established, there are five stages in the process of conducting a pen test.

 

1. Reconnaissance

 

Intelligence is gathered to help the tester better understand what a target’s potential vulnerabilities are. Once done, the scope of work is defined

 

2. Scanning

 

Scanning tools are used to see how a target responds to intrusions.

 

3. Gaining Access

 

Web application attacks are used to uncover a target’s vulnerabilities. The tester then tries to exploit these vulnerabilities as a means of assessing potential damage.

 

4. Maintaining Access

 

The tester attempts to maintain access long enough to retrieve as much data as possible. The objective of this stage is to test whether a vulnerability can be used to achieve a persistent presence in the exploited environment.

 

5. Analysis

 

The findings are analysed and compiled into a report which details the specific vulnerabilities that were exploited, sensitive data that was accessed and the amount of time the tester was able to remain in the system undetected.

 

Are there different types of pen tests?

 

Yes, and establishing your goals will help you determine the type of pen test you need for your organisation. If you have multiple needs for instance, you might want to conduct several different tests.

 

External Testing

 

This type of test targets an organisation’s assets that are visible from the internet such as domain name servers (DNS), email servers, web servers and firewalls. The objective of this test is to see how feasible it is for an outsider to get in and extract valuable data.

 

Internal Testing

 

With internal pen tests, the tester simulates an attack from behind the applications firewall. This type of testing is used to determine how much damage could be caused by an authorised user with standard access privileges e.g. an employee.

 

Black Box Testing

 

Black box penetration testing involves testing a system externally with zero internal knowledge. The tester examines the functionality of an application without taking the internal structures or workings into consideration.

 

White Box Testing

 

White box penetration testing on the other hand is a method whereby the tester has been provided with a whole range of information relating to an organisation’s internal systems and/ or network.

 

Blind Testing

 

Blind penetration testing and double blind penetration testing are also worth a mention. Both strategies involve the tester conducting the pen test with very little information on the organisation, but double blind testing goes a step forward. Only a couple of people within the organisation are aware that a simulated attack is being carried out so there is no time to put last minute security measures in place. This method is often used to test an organisation’s security monitoring and response procedures.

 

Final Thoughts

 

It can be difficult to wrap your head around the idea of entrusting someone, let alone a team of people, to simulate an attack on your computer systems. Especially when you consider what they might discover. However, given the amount of security scares that are being reported on a regular basis, conducting a pen test might just give you some reassurance about the current state of your system’s security.

 

If you’d like to learn more about penetration testing, please call 01 522 7690 or email aoife.ross@softwaredesign.ie