An introduction to penetration testing
Written by Joseph Poppy on 08/06/2018
White box testing is often referred to as an authenticated test and focusses on the security of your underlying technology (all the unseen bits that make your systems work). A white box test will take place with an extensive knowledge of your IT department and infrastructure already obtained. This means the tester will have access to IP addresses, network diagrams, system configurations and even credentials. They may even set up their own admin credentials. This form of test is incredibly extensive and allows the tester to take on the role of someone within your organisation and analyse your processes as well as your systems.
Black box testing mirrors the approach a real-world hacker would take, in that no prior information regarding your infrastructure set-up is given. Through research, probing, hacking techniques (such as brute-force attacks) and even social engineering, the penetration tester will attempt to gain unauthorised access to your networks and exfiltrate data. This approach will not only provide an evaluation of your network and systems, but also the processes and people involved.
Grey box testing, as you may have guessed, lies somewhere in between white and black box testing. Testers will have some previous knowledge of your infrastructure and systems used, but not in as much detail as a white box test. The knowledge given will be agreed during the scoping of the test.
Penetration testing vs vulnerability assessments
Often, the phrase penetration test and vulnerability assessment are wrongly used interchangeably. A vulnerability assessment or VA scan is the use of an automated tool to scan a network or application for known vulnerabilities, which can subsequently be patched. The key difference is that a penetration test is a lot more involved and encompasses many other aspects, ultimately providing you with a more comprehensive overview of your security stance. This is not to say that vulnerability scan is not without value.
User A works in your finance department and receives an email stating that their password is due to expire, and that they should click the provided link to reset it. If they don’t, they could be locked out of their emails, which User A feels is simply unacceptable. User A clicks the link and is directed to what appears to be the official website of your email provider. User A types in their current password and selects a new password before continuing with their work. Only the link they followed was not official at all. Instead, it was a platform designed by a hacker who now has User A’s credentials.
This type of technique has been around almost as long as email has (think of the "I am a wealthy investor from ____ I need to transfer money to the UK, please provide me with your bank details" spam). Some phishing attempts are more sophisticated than others.
Social engineering can go further than this and include face to face interaction or phone calls. This will usually be in an attempt to gain physical access to a machine or building rather than breaching your network remotely, although one can lead to the other
Network penetration test
A network penetration test is the most common and currently the most in-demand form of pen test. This is where the penetration tester tries to breach an organisation’s infrastructure. Depending on the size of the company and therefore, how many servers, devices and programmes are communicating with one another, the amount of time and resources these tests take can vary dramatically. Whilst tests can differ depending on the target(s) they tend to examine the following:
- Firewall configurations
- Stateful analysis testing
- Firewall bypass possibilities
- IPS evasion
- DNS attacks
Of course, all components will be running and reliant upon various pieces of software which will also be tested. The most common of which are:
- Secure Shell
- SQL Server
- Simple Mail Transfer Protocol (SMTP)
- File Transfer Protocol
- Outlook login pages
Depending on what your goals are, the depth of a network test can vary.
How does penetration testing work?
The pen tester will start by conducting some basic reconnaissance around your network or application. From this they should get a good idea of what your cyber make-up is like and how to best proceed.
Once they are satisfied they have enough knowledge to continue, the pen tester will begin running scans against your system to search for any vulnerabilities and test the response to intrusion.
After scanning, the pen tester will actively start probing and attempt to gain access to your network. If any vulnerabilities were discovered in the previous stages, these will be exploited. Even if none were found, the tester will have a number of other tricks and tools to employ, such as a brute-force attack. This uses a trial and error approach in an attempt to guess credentials. Using automated tools hundreds or even thousands of attempts can be made every minute to a set criterion.
If a penetration tester manages to exploit vulnerabilities or find another way to compromise your network, they will gain access to your system. From there, they will gather evidence or make agreed changes to prove that they have done so. After access has been gained (sometimes more than once through different methods), the penetration tester will set about compiling a report, listing their methodology, their level of success and giving remediation advice.
What does it mean to red team? A red team service, or red teaming, tests an organisation’s cyber security equipment and procedures along with their physical security. A red team will make use of automated tools, manual techniques and social engineering, with the aim of breaching your perimeter by any means or gaining physical access to your premises, and therefore, your network or data.
This expands on a penetration test by adding your physical security to the scope, which the red team will attempt to compromise using a number of creative methods. Offering a multi-layered approach for maximum impact, a red team will try just about anything to gain access to your network or offices. Once inside, they will attempt to compromise a machine or, better still, get to your server room or datacentre.
The purpose behind a red team investigation is to provide you with a detailed snapshot of your overall security posture. Red teaming also demonstrates that one of the most important, yet often overlooked aspects of cyber security, is the human one.
Cost of Penetration Testing
The cost of a penetration test can vary considerably with many factors to consider. The size of the network/application, its complexity and the overall scope will be the main variables.
Of course, these prices and features depend entirely on your requirements and serve as just a rough guide as to what you might expect to pay.
A penetration test is vital for any company or organisation who takes cyber security seriously. As already stated, if a penetration tester manages to compromise your application or network, then a real hacker can too. Penetration tests offer a proactive approach to maintaining high levels of security.
However, it’s worth noting that a pen test shows you your security posture at a fixed point in time. New vulnerabilities may be discovered, and other methods of attack may evolve in the future, so it’s recommended that you book regular (annual) penetration tests to ensure that you maintain the top level of security.
ISO 27001 and 9001 certified
Tigerscheme qualified testers
PCI DSS v3.2 Level 1
24/7 on-site Security
Get a quote today
If you’re interested in our services, get a free, no obligation quote today by filling out the form below.