In best practices
Penetration testinG: all the way from P to G.
Security holes are totally a gift for attackers. Using these holes they can leak into the system, like a thief through a window leaf.
Let's take a deep look into the system. What do we see? We see tons of code, fine and silky like a piece of a high-quality fabric… Wait, what's that? A hole?
Yep. A security hole.
Security holes are totally a gift for attackers. Using these holes they can leak into the system, like a thief through a window leaf. And we know well enough how many evil intentions the intruders may have: from simple pranks, like replacing the font with Comic Sans italics (a designer's headache) to users' personal data stealing (this headache is for everyone).
Yep. A security hole.
Security holes are totally a gift for attackers. Using these holes they can leak into the system, like a thief through a window leaf. And we know well enough how many evil intentions the intruders may have: from simple pranks, like replacing the font with Comic Sans italics (a designer's headache) to users' personal data stealing (this headache is for everyone).
Penetration testing is a special technique using which a tester can identify certain areas of the system that are vulnerable to attackers. In the process of testing, a specialist deliberately attacks the system, revealing its weakest areas and protection problems. This improves security attributes.
This technique can be applied as an additional method of security testing. It is also used to estimate how effective the system protection complex against unexpected malicious attacks.
This technique can be applied as an additional method of security testing. It is also used to estimate how effective the system protection complex against unexpected malicious attacks.
Why can the system be vulnerable?
Security flaws appear at different stages of the process and depend on many factors:
Why can the system be vulnerable?
Security flaws appear at different stages of the process and depend on many factors:
1
Design error (for example, design flaws is one of the most common causes of security holes appearance)
2
Incorrect configuration and adjustment of associated hardware and software
3
Network connection problems (a secure connection eliminates the possibility of malicious attacks, and an insecure network provides a gateway for hackers to attack the system)
4
The human factor (a mistake made intentionally or unintentionally by an individual or team in the design, deployment, and maintenance of a system or network)
5
Communication error (incorrect or open transfer of confidential data and information among teams or individuals)
6
Excessive system complexity (it is easy to control the security mechanism of a simple network infrastructure, and it is difficult to track leaks or any malicious activity in complex systems)
7
Lack of training (lack of knowledge and necessary security training for both internal staff and those working outside the company)
7
Lack of training (lack of knowledge and necessary security training for both internal staff and those working outside the company)
What is the difference between penetration testing and vulnerability assessment?
Both of these techniques are designed to make the software secure. But these are two different processes.
Penetration testing is a real-time test performed manually or with the help of automation tools. The system and its associated component are exposed to emulated malicious attacks, and so security flaws are identified.
Vulnerability assessment is the study of the system and its thorough analysis using testing tools. In the process of analysis, a tester discovers security holes that can be used in various malicious attacks. In addition, during the assessing, developers can fix the security bugs found.
Penetration testing is a real-time test performed manually or with the help of automation tools. The system and its associated component are exposed to emulated malicious attacks, and so security flaws are identified.
Vulnerability assessment is the study of the system and its thorough analysis using testing tools. In the process of analysis, a tester discovers security holes that can be used in various malicious attacks. In addition, during the assessing, developers can fix the security bugs found.
Both of these techniques are designed to make the software secure. But these are two different processes.
Penetration testing is a real-time test performed manually or with the help of automation tools. The system and its associated component are exposed to emulated malicious attacks, and so security flaws are identified.
Vulnerability assessment is the study of the system and its thorough analysis using testing tools. In the process of analysis, a tester discovers security holes that can be used in various malicious attacks. In addition, during the assessing, developers can fix the security bugs found.
Penetration testing is a real-time test performed manually or with the help of automation tools. The system and its associated component are exposed to emulated malicious attacks, and so security flaws are identified.
Vulnerability assessment is the study of the system and its thorough analysis using testing tools. In the process of analysis, a tester discovers security holes that can be used in various malicious attacks. In addition, during the assessing, developers can fix the security bugs found.
To make it clearer, let's compare the system with an ordinary brick wall.
While assessing the vulnerability, the tester looks for holes in the wall and asks the builders (see also "developers") to patch it. For the penetration test, the main task is to crash the hell out of the wall and see what happens.
While assessing the vulnerability, the tester looks for holes in the wall and asks the builders (see also "developers") to patch it. For the penetration test, the main task is to crash the hell out of the wall and see what happens.
So do we really need penetration testing?
We do need it. Here's a list:
- Frequent and complex system updates can seriously affect the corresponding hardware and software. This may lead to security issues. So updates need to be monitored. The penetration test, in this case, is a way to identify the weak and vulnerable areas of the system before the hacker does the same.
- The penetration test provides an opportunity to assess how good the existing system protection is. Working together with the management team, the testing team can also estimate various business risks, including determining which data in the company is confidential. It helps the company to structure and set its priorities, eliminating various business risks and problems.
- Ultimately, the penetration test is also a great tool for identifying and meeting basic security standards, norms, and practices.
So do we really need penetration testing?
We do need it. Here's a list:
- Frequent and complex system updates can seriously affect the corresponding hardware and software. This may lead to security issues. So updates need to be monitored. The penetration test, in this case, is a way to identify the weak and vulnerable areas of the system before the hacker does the same.
- The penetration test provides an opportunity to assess how good the existing system protection is. Working together with the management team, the testing team can also estimate various business risks, including determining which data in the company is confidential. It helps the company to structure and set its priorities, eliminating various business risks and problems.
- Ultimately, the penetration test is also a great tool for identifying and meeting basic security standards, norms, and practices.
How to perform penetration testing?
System penetration testing can be performed manually, automatically, or with the combination of these two approaches. Let's take a closer look.
How to perform penetration testing?
System penetration testing can be performed manually, automatically, or with the combination of these two approaches. Let's take a closer look.
Manually
For performing manual penetration testing, a consistent standard approach is used. It includes the following stages:
Planning.
This stage includes collecting requirements, determining the scope, strategies, and objectives of testing in accordance with security standards. In addition, it may contain an assessment of areas to be tested, types of planned tests and other related checks.
Exploring.
At this stage, testers collect and analyze the most detailed information about system and related security attributes useful for targeting and attacking each block. There are two forms of collecting and analyzing information: passive and active exploring (in the first case, direct interaction with the system is not intended).
Vulnerability analysis.
At this stage, testers identify and detect vulnerable areas of the system, which will later be used to enter and attack using penetration tests.
Exploitation.
The actual penetration test involving internal and external attacks. External attacks are emulated attacks from the outside (for example, obtaining unauthorized access to functions and data related to public applications and servers). Internal attacks begin after the intrusion of authorized objects into the system or network and represent various actions that can intentionally or unintentionally compromise the system.
Post-exploitation.
At this stage, an analysis of each attack on the system. The goals and objectives of the attack are evaluated, as well as its potential impact on systemic and business processes.
Reporting.
In general, reports are compiled at each stage of testing, and documentation is written for the entire event. It can also describe various risks, identified problems, vulnerable areas and proposed solutions to fix the issues found.
Planning.
This stage includes collecting requirements, determining the scope, strategies, and objectives of testing in accordance with security standards. In addition, it may contain an assessment of areas to be tested, types of planned tests and other related checks.
Exploring.
At this stage, testers collect and analyze the most detailed information about system and related security attributes useful for targeting and attacking each block. There are two forms of collecting and analyzing information: passive and active exploring (in the first case, direct interaction with the system is not intended).
Vulnerability analysis.
At this stage, testers identify and detect vulnerable areas of the system, which will later be used to enter and attack using penetration tests.
Exploitation.
The actual penetration test involving internal and external attacks. External attacks are emulated attacks from the outside (for example, obtaining unauthorized access to functions and data related to public applications and servers). Internal attacks begin after the intrusion of authorized objects into the system or network and represent various actions that can intentionally or unintentionally compromise the system.
Post-exploitation.
At this stage, an analysis of each attack on the system. The goals and objectives of the attack are evaluated, as well as its potential impact on systemic and business processes.
Reporting.
In general, reports are compiled at each stage of testing, and documentation is written for the entire event. It can also describe various risks, identified problems, vulnerable areas and proposed solutions to fix the issues found.
Manually
For performing manual penetration testing, a consistent standard approach is used. It includes the following stages:
Planning.
This stage includes collecting requirements, determining the scope, strategies, and objectives of testing in accordance with security standards. In addition, it may contain an assessment of areas to be tested, types of planned tests and other related checks.
Exploring.
At this stage, testers collect and analyze the most detailed information about system and related security attributes useful for targeting and attacking each block. There are two forms of collecting and analyzing information: passive and active exploring (in the first case, direct interaction with the system is not intended).
Vulnerability analysis.
At this stage, testers identify and detect vulnerable areas of the system, which will later be used to enter and attack using penetration tests.
Exploitation.
The actual penetration test involving internal and external attacks. External attacks are emulated attacks from the outside (for example, obtaining unauthorized access to functions and data related to public applications and servers). Internal attacks begin after the intrusion of authorized objects into the system or network and represent various actions that can intentionally or unintentionally compromise the system.
Post-exploitation.
At this stage, an analysis of each attack on the system. The goals and objectives of the attack are evaluated, as well as its potential impact on systemic and business processes.
Reporting.
In general, reports are compiled at each stage of testing, and documentation is written for the entire event. It can also describe various risks, identified problems, vulnerable areas and proposed solutions to fix the issues found.
Planning.
This stage includes collecting requirements, determining the scope, strategies, and objectives of testing in accordance with security standards. In addition, it may contain an assessment of areas to be tested, types of planned tests and other related checks.
Exploring.
At this stage, testers collect and analyze the most detailed information about system and related security attributes useful for targeting and attacking each block. There are two forms of collecting and analyzing information: passive and active exploring (in the first case, direct interaction with the system is not intended).
Vulnerability analysis.
At this stage, testers identify and detect vulnerable areas of the system, which will later be used to enter and attack using penetration tests.
Exploitation.
The actual penetration test involving internal and external attacks. External attacks are emulated attacks from the outside (for example, obtaining unauthorized access to functions and data related to public applications and servers). Internal attacks begin after the intrusion of authorized objects into the system or network and represent various actions that can intentionally or unintentionally compromise the system.
Post-exploitation.
At this stage, an analysis of each attack on the system. The goals and objectives of the attack are evaluated, as well as its potential impact on systemic and business processes.
Reporting.
In general, reports are compiled at each stage of testing, and documentation is written for the entire event. It can also describe various risks, identified problems, vulnerable areas and proposed solutions to fix the issues found.
Automatically
This useful and effective approach to penetration testing involves the use of specialized tools.
Automatic testing is reliable, convenient, it happens very quickly and is easy to analyze. Validation tools are effective for accurately detecting security defects present in the system in a short period of time, as well as for creating "crystal clear" reports.
Let's list some of the popular and widely used penetration testing tools:
• Nmap
• Nessus
• Metasploit
• Wireshark
• OpenSSL
• Cain & Abelw
• 3af
Many automated testing tools can be found in Linux builds (Kali Linux, Mantra OS).
To work on a specific project, you will have to choose a tool that meets a variety of requirements and criteria.
The tool must:
• be convenient for deployment, use, and maintenance
• provide easy and quick system scan
• be able to automate the process of checking vulnerabilities found
• be able to check previously discovered vulnerabilities
• be able to create simple and detailed vulnerability reports
Automatic testing is reliable, convenient, it happens very quickly and is easy to analyze. Validation tools are effective for accurately detecting security defects present in the system in a short period of time, as well as for creating "crystal clear" reports.
Let's list some of the popular and widely used penetration testing tools:
• Nmap
• Nessus
• Metasploit
• Wireshark
• OpenSSL
• Cain & Abelw
• 3af
Many automated testing tools can be found in Linux builds (Kali Linux, Mantra OS).
To work on a specific project, you will have to choose a tool that meets a variety of requirements and criteria.
The tool must:
• be convenient for deployment, use, and maintenance
• provide easy and quick system scan
• be able to automate the process of checking vulnerabilities found
• be able to check previously discovered vulnerabilities
• be able to create simple and detailed vulnerability reports
Automatically
This useful and effective approach to penetration testing involves the use of specialized tools.
Automatic testing is reliable, convenient, it happens very quickly and is easy to analyze. Validation tools are effective for accurately detecting security defects present in the system in a short period of time, as well as for creating "crystal clear" reports.
Let's list some of the popular and widely used penetration testing tools:
• Nmap
• Nessus
• Metasploit
• Wireshark
• OpenSSL
• Cain & Abelw
• 3af
Many automated testing tools can be found in Linux builds (Kali Linux, Mantra OS).
To work on a specific project, you will have to choose a tool that meets a variety of requirements and criteria.
The tool must:
• be convenient for deployment, use, and maintenance
• provide easy and quick system scan
• be able to automate the process of checking vulnerabilities found
• be able to check previously discovered vulnerabilities
• be able to create simple and detailed vulnerability reports
Automatic testing is reliable, convenient, it happens very quickly and is easy to analyze. Validation tools are effective for accurately detecting security defects present in the system in a short period of time, as well as for creating "crystal clear" reports.
Let's list some of the popular and widely used penetration testing tools:
• Nmap
• Nessus
• Metasploit
• Wireshark
• OpenSSL
• Cain & Abelw
• 3af
Many automated testing tools can be found in Linux builds (Kali Linux, Mantra OS).
To work on a specific project, you will have to choose a tool that meets a variety of requirements and criteria.
The tool must:
• be convenient for deployment, use, and maintenance
• provide easy and quick system scan
• be able to automate the process of checking vulnerabilities found
• be able to check previously discovered vulnerabilities
• be able to create simple and detailed vulnerability reports
Manually + Automatically
We consider this approach the most optimal. It combines the advantages of the first two options and provides operational control through reliable and accurate penetration into the software product.
Types of penetration tests
Penetration testing, depending on the elements and objects used, can be classified as follows:
Social engineering.
This type of test is conducted with the involvement of people who are able to receive confidential data and other information via the Internet or phone. This group may include the company's employees or any other authorized persons present.
Web application.
Used to detect security holes and other problems in several versions of web applications and services hosted on the client or server side.
Network service.
This type of test is carried out in order to identify areas in the network that are subject to penetration by a hacker or other unauthorized entity.
Client part.
This type is used to test client-side applications.
Remote connection.
Testing a VPN or similar object that can provide access to a connected system.
Wireless network.
The test is designed for wireless applications and services, including their various components and functions (routers, encryption, decryption, etc.).
Types of penetration tests
Penetration testing, depending on the elements and objects used, can be classified as follows:
Social engineering.
This type of test is conducted with the involvement of people who are able to receive confidential data and other information via the Internet or phone. This group may include the company's employees or any other authorized persons present.
Web application.
Used to detect security holes and other problems in several versions of web applications and services hosted on the client or server side.
Network service.
This type of test is carried out in order to identify areas in the network that are subject to penetration by a hacker or other unauthorized entity.
Client part.
This type is used to test client-side applications.
Remote connection.
Testing a VPN or similar object that can provide access to a connected system.
Wireless network.
The test is designed for wireless applications and services, including their various components and functions (routers, encryption, decryption, etc.).
Manually + Automatically
We consider this approach the most optimal. It combines the advantages of the first two options and provides operational control through reliable and accurate penetration into the software product.
Types of penetration tests
Penetration testing, depending on the elements and objects used, can be classified as follows:
Social engineering.
This type of test is conducted with the involvement of people who are able to receive confidential data and other information via the Internet or phone. This group may include the company's employees or any other authorized persons present.
Web application.
Used to detect security holes and other problems in several versions of web applications and services hosted on the client or server side.
Network service.
This type of test is carried out in order to identify areas in the network that are subject to penetration by a hacker or other unauthorized entity.
Client part.
This type is used to test client-side applications.
Remote connection.
Testing a VPN or similar object that can provide access to a connected system.
Wireless network.
The test is designed for wireless applications and services, including their various components and functions (routers, encryption, decryption, etc.).
Types of penetration tests
Penetration testing, depending on the elements and objects used, can be classified as follows:
Social engineering.
This type of test is conducted with the involvement of people who are able to receive confidential data and other information via the Internet or phone. This group may include the company's employees or any other authorized persons present.
Web application.
Used to detect security holes and other problems in several versions of web applications and services hosted on the client or server side.
Network service.
This type of test is carried out in order to identify areas in the network that are subject to penetration by a hacker or other unauthorized entity.
Client part.
This type is used to test client-side applications.
Remote connection.
Testing a VPN or similar object that can provide access to a connected system.
Wireless network.
The test is designed for wireless applications and services, including their various components and functions (routers, encryption, decryption, etc.).
It is also possible to classify penetration testing based on the testing approaches used:
White Box.
With this approach, the tester will have full access to in-depth knowledge of the functioning and basic attributes of the system. This testing is very effective, as an understanding of every aspect of the system is very useful when conducting extensive penetration tests.
Black Box.
Testers are only given publicly available information (for example, the URL or company IP address) for penetration testing. Here, the specialist can feel like a hacker, having the task to study the system (or network), not knowing how it works inside. This is a very laborious approach since the tester takes a significant amount of time to study all the properties and details. In addition, there is a high probability of missing part of the areas due to lack of time and information.
Gray Box.
The tester gets limited information (eg, algorithm, architecture, internal states) to simulate an external attack on the system.
White Box.
With this approach, the tester will have full access to in-depth knowledge of the functioning and basic attributes of the system. This testing is very effective, as an understanding of every aspect of the system is very useful when conducting extensive penetration tests.
Black Box.
Testers are only given publicly available information (for example, the URL or company IP address) for penetration testing. Here, the specialist can feel like a hacker, having the task to study the system (or network), not knowing how it works inside. This is a very laborious approach since the tester takes a significant amount of time to study all the properties and details. In addition, there is a high probability of missing part of the areas due to lack of time and information.
Gray Box.
The tester gets limited information (eg, algorithm, architecture, internal states) to simulate an external attack on the system.
It is also possible to classify penetration testing based on the testing approaches used:
White Box.
With this approach, the tester will have full access to in-depth knowledge of the functioning and basic attributes of the system. This testing is very effective, as an understanding of every aspect of the system is very useful when conducting extensive penetration tests.
Black Box.
Testers are only given publicly available information (for example, the URL or company IP address) for penetration testing. Here, the specialist can feel like a hacker, having the task to study the system (or network), not knowing how it works inside. This is a very laborious approach since the tester takes a significant amount of time to study all the properties and details. In addition, there is a high probability of missing part of the areas due to lack of time and information.
Gray Box.
The tester gets limited information (eg, algorithm, architecture, internal states) to simulate an external attack on the system.
White Box.
With this approach, the tester will have full access to in-depth knowledge of the functioning and basic attributes of the system. This testing is very effective, as an understanding of every aspect of the system is very useful when conducting extensive penetration tests.
Black Box.
Testers are only given publicly available information (for example, the URL or company IP address) for penetration testing. Here, the specialist can feel like a hacker, having the task to study the system (or network), not knowing how it works inside. This is a very laborious approach since the tester takes a significant amount of time to study all the properties and details. In addition, there is a high probability of missing part of the areas due to lack of time and information.
Gray Box.
The tester gets limited information (eg, algorithm, architecture, internal states) to simulate an external attack on the system.
Penetration testing limitations
There are several limitations to penetration testing:
Penetration testing limitations
There are several limitations to penetration testing:
1
The high cost of testing
2
The test is strictly time-limited, so system important areas might be ignored
3
The system may be destroyed or important data may be lost during the test
3
The system may be destroyed or important data may be lost during the test
Anyway. Safety first, remember?
Anyway. Safety first, remember?
Hackers, armed with advanced technologies, often easily break into the system to harm the company's reputation or assets (or both). Penetration testing to a greater extent than other types of testing can be considered as a tool for identifying various security gaps, helping to negate potential threats to the system as a whole.
Here are some additional useful links.
The Awesome Penetration Testing project constantly updates tools, articles, and books on penetration testing.
Standards:
Certification:
The Awesome Penetration Testing project constantly updates tools, articles, and books on penetration testing.
Standards:
- PCI DSS (Payment Card Industry Data Security Standard)
- OWASP (Open Web Application Security Project)
- ISO/IEC 27002, OSSTMM (The Open Source Security Testing Methodology Manual)
Certification:
- GIAC Penetration Tester (GPEN)
- Associate Security Tester (AST)
- Senior Security Tester (SST)
- Certified Penetration Tester (CPT)
Stay tuned and let no trespasser penetrate your undefeated system.
We love what we do and do it with pleasure.
We love what we do and do it with pleasure.
QA Camp team
You may also like: