Penetration Testing

Penetration testing, often referred to as “pen testing” is a controlled attack against a web application, network, or computer system. The purpose of a penetration test is to identify vulnerabilities that could be exploited by legitimate attackers. Examples of potential vulnerabilities include API Insecure Direct Object References (IDOR) and injection flaws, unsanitized inputs, open ports, unpatched software components, and so on.

Penetration testing is usually performed in five stages:

Planning & Reconnaissance

Since the goal is to simulate a real attack on a target, the first step involves defining the scope of the penetration test, which includes identification of the targets and potential methods that can be utilised during the attack. This is followed by intelligence gathering, where the pen test team will gather any information on the target, which can include domain names, network topology, server names and IP addresses, operating systems, user accounts, and so on.

Scanning

During the scanning phase the pen test team will use software tools to scan the target. These tools may vary depending on the target, and also what type of penetration test it is. They can be used to identify open ports, analyse network traffic, scan code, and so on. The idea is to look for potential entry points and / or vulnerabilities that can be exploited.

Gaining Access (Exploitation)

With reconnaissance and scanning completed, the pen test team puts the gathered intelligence to use by attempting to compromise the target by exploiting vulnerabilities. This stage often involves web application attacks like cross-site scripting, SQL injection, backdoors, and other methods.

Maintaining Access (Post-Exploitation)

An additional phase can be added to the penetration test in which the pen test team attempts to maintain access to the target system. This can involve creating backdoors, or installing rootkits or Trojans.

Analysis and Reporting

The pen test team provides a detailed report that summarises the test. The report generally includes the identified vulnerabilities, their severity, and the steps to reproduce them. It typically also includes recommended mitigations or corrective actions to address each vulnerability.

There are three types of penetration testing:

Black Box / Black Hat Penetration Testing

The key characteristic of a black hat pen test is that the team has no prior knowledge of the target. This type of pen test simulates a real-world attack.

White Box / White Hat Penetration Testing

With a white hat pen test the team has full access to the target as well as all necessary source code and documentation. The purpose of this test is to evaluate all aspects of system security.

Grey Box / Grey Hat Penetration Testing

The pen test team has partial knowledge of the system. This type of pen test is meant to simulate a real-world scenario where, say, a disgruntled employee could be the attacker.

In addition to these three flavours of penetration tests, different types can also be requested, each with a specific aim:

Network Penetration Testing

The purpose of a network pen test is to identify vulnerabilities that could be exploited to allow unauthorised users control over the network or network resources. This can involve testing of servers and network hosts, firewalls, and other network protocols.

Web App Penetration Testing

Websites and web apps are tested for vulnerabilities such as Cross-Site Scripting (XSS), SQL Injection, and Cross-Site Request Forgery (CSRF). This is especially important for eCommerce sites and applications working toward PCI DSS certification.

Mobile App Penetration Testing

Here the pen test team tests mobile apps for potential vulnerabilities such as insecure data storage, weak encryption, or vulnerabilities specific to Android or iOS operating systems.

Wireless Penetration Testing

This type of testing probes wireless networks, such as WiFi and Bluetooth, for vulnerabilities which may include weak encryption algorithms, insecure protocols, or unauthorised access points.

Social Engineering Penetration Testing

How aware are your personnel? Do they adhere to security policies? That’s what the social engineering penetration testing examines with techniques such as phishing emails, pretext calling, or physical security tests to manipulate employees into revealing sensitive information or granting access to systems.

Physical Penetration Testing

As the name suggests, the pen test team attempts to gain physical access to sensitive areas on the premises such as server rooms or on-premises data centres. The goal is to assess physical security measures.

Cloud Penetration Testing

Cloud penetration testing evaluates the security of a company’s cloud-based systems and infrastructure. This is especially important in a cloud-enabled digital landscape where access to cloud-based services have become the norm.

Red Teaming

Red Teaming combines all the (applicable) penetration tests mentioned above into one. It is a full scope controlled attack on an organisation’s security, both digital and physical.

Pen testing can involve the attempted breaching of any number of application systems, (e.g., application protocol interfaces (APIs), frontend/backend servers) to uncover vulnerabilities, such as unsanitized inputs that are susceptible to code injection attacks.

Prevention is better than cure. In that context, a penetration test actively identifies weaknesses in your online security, and provides the reporting and assistance to eliminate those vulnerabilities. A penetration test can also be used to fuel compliance with regulatory auditing requirements, enhance technical controls, and deliver overall confidence in your hosting security.

No. The difference between penetration testing and “black hat” hacking attempts is that penetration testing is controlled and therefore pose no threats to your sites or servers. Another term for penetration testing is “ethical hacking”, of which the aim is simply to improve the security of the target website.

By shoring up the vulnerabilities exposed during penetration testing, you can dramatically reduce the risk of a breach through your website or server.

Vulnerability scanning proactively identifies vulnerabilities. Typically, a vulnerability scan is an automated process that relies on software to scan for and identify vulnerabilities. Human input can sometimes be required during the analysis phase to interpret results and to eliminate false positives.

An example of a vulnerability scan is Storm’s PCI external vulnerability conducted by SecurityMetrics, which is a Payment Card Industry Data Security Standard (PCI DSS) Approved Scanning Vendor (ASV). Learn more about Storm’s PCI External Vulnerability Scans.