ISO 27001 Certification Process: A Step-by-Step GuideRead article
Penetration Testing 101
What is Penetration Testing?
With a penetration test, also known as a “pen test,” a company hires a third party to launch a simulated attack designed to identify vulnerabilities in its infrastructure, systems, and applications. It can then use the results of that simulated attack to fix any potential vulnerabilities. It’s one way organizations can evaluate and strengthen their overall security posture.
Why are penetration tests important?
Pen testing may seem like an unnecessary step in an already lengthy compliance process, but the benefits are usually well worth the extra time and effort. Here are a few advantages of penetration testing:
Prevent costly breaches
As attacks become more common and take on new forms, companies are increasingly relying on pen tests to identify and address potential security gaps.
A review of cybersecurity breaches since 2011 found that the average cost of a cyber-breach at a publicly traded company is $116 million. Some of the costliest breaches include Equifax in 2017 ($1.7 billion), The Home Depot in 2014 ($298 million), Target in 2013 ($292 million), and Marriott in 2018 ($118 million).
Strengthen customer trust
Customers may ask for you to perform an annual third-party pen test as part of their procurement, legal, and security due diligence.
Put previous doubts to rest
A pen test can prove that previous application security issues, if any, have been resolved in order to restore customer and partner confidence.
Assist with compliance
Required by Providers
Are you planning on integrating with services such as Google Workplace? If so, Google may require you to perform a pen test in order to access certain restricted APIs.
What happens during a penetration test?
Now that we’ve covered what penetration testing is and why it is important, let’s get into the details of the process.
First, who performs penetration testing?
With pen tests, you’re essentially inviting someone to try and break into your systems so that you can keep other people out. Using a pen tester who doesn’t have prior knowledge or understanding of your architecture will give you the greatest results.
That’s why pen tests are most often conducted by outside consultants. These security experts are trained to identify, exploit, and document vulnerabilities and use their findings to help you improve your security posture. Most pen testers are security consultants or experienced developers who have a certification for pen testing. Penetration testing tools like NMap and Nessus are also available.
Next, how is penetration testing done? Generally, a pen test follows these steps:
Subscribe to our blog
The Penetration Test Process
Which systems and scoping methods will be used in your penetration test? Because the pen tester could gain access to private information in the course of their work, both parties should sign a non-disclosure agreement before starting the pen test.
Once you’ve agreed on the scope of your pen test, the pen tester will gather publicly available information to better understand how your company works. That could entail using web crawlers to identify the most attractive targets in your company architecture, network names, domain names, and a mail server.
Identifying Threats and Vulnerabilities
The pen tester will identify potential vulnerabilities and create an attack plan. They’ll probe for vulnerabilities and open ports or other access points that may provide information about system architecture.
The pen tester will exploit identified vulnerabilities via common web app attacks such as SQL injection or cross-site scripting, and attempt to recreate the fallout that could occur from an actual attack. That typically means the pen tester will focus on gaining access to restricted, confidential, and/or private data.
Maintaining Exploits/Lateral Movement
As the pen tester maintains access to a system, they will collect more data. The goal is to mimic a persistent presence and gain in-depth access. Advanced threats often lurk in a company’s system for months (or longer) in order to access an organization’s most sensitive data.
The pen testing firm typically provides you with an initial report of their findings and provides you with an opportunity to remediate any discovered issues. After remediation is completed, the firm will once again attempt those known exploits to find out if those fixes are sufficient to prevent future attacks.
Analysis and Reporting
The pen tester creates a final report summarizing:
- Exploitable vulnerabilities and the potential impact(s) of a breach. Vulnerabilities should be ranked by risk level and type.
- Restricted, confidential, and/or private data that was accessed.
- The duration of time that the pen tester remained undetected in the company’s systems.
- Whether the vulnerabilities identified were remediated successfully.
Ultimately, this report should cover two things: outline the largest strategic threats from a business perspective (for management) and describe technical threats that should be fixed (e.g. through security upgrades).