What is Penetration Testing?

Terry Mann by Published On - 04.21.2022   Data Security

Penetration Testing

A penetration test, or ‘pen test’ as it is otherwise known, is where organizations carry out simulated cyber-attacks on their networks in order to identify vulnerabilities, thus enabling them to fine-tune security policies, and ensure that the relevant patches are installed.

Many data protection regulations such as PCI DSS, HIPAA, FINRA, and others, require that covered entities regularly test the security measures they have in place. Penetration testing is the means by which to do that.

How is Pen Testing Used

Pen testing can be used to test a variety of systems, features, devices, and applications, such as Application Programming Interfaces (APIs), Web Application Firewalls (WAF), DNS servers, and websites. It’s always a good idea to rigorously test any public-facing web forms you have as it’s often the case where the inputs have not been properly sanitized, which opens up the possibility of code injection attacks. Pen testing is typically broken into five stages, which include;

Penetration Testing Stages

1. Planning and reconnaissance

This is where you define the scope of your pen-testing activities, which includes creating an inventory of all systems, features, assets, and devices. It also includes defining your testing methods and outlining your goals and objectives.

2. Application security scanning

This stage involves using vulnerability scanning tools to gain knowledge about how an application responds to security threats. There are two types of vulnerability scans, which include; static analysis and dynamic analysis. Static analysis is where you scan an application’s code in an attempt to identify potential vulnerabilities. Dynamic analysis is essentially the same, only the scan is carried out when the application is running in order to monitor how it responds to potential threats in real-time.

3. Gaining access and exploiting vulnerabilities

If you manage to find vulnerabilities in your network, the next step is to try to exploit them. This might include launching an SQL injection or cross-site scripting attack, intercepting traffic, escalating privileges, and so on. You must ensure that all vulnerabilities and successful exploits are well documented.

4. Maintaining access

Once you’ve gained access to your network, the trick is to see how long you can maintain access without sounding any alarms. Advanced Persistent Threats (ATPs), as they are known, can remain in a system for months, quietly leaking sensitive information.

5. Analysis and reporting

Once you have completed your penetrations tests, you will need to compile all of your findings into one or more detailed reports. The report must contain detailed information about;

  • The vulnerabilities that were found;
  • The vulnerabilities that were exploited and how they were exploited;
  • The systems, features, assets, and devices that were involved;
  • The length of time the pen tester was able to remain in the system before getting noticed.

This information must be analyzed by the relevant security personnel to help them establish a plan to remediate these issues, which might include installing the relevant patches, addressing any form validation issues, configuring firewalls, and making improvements to their APIs.

Penetration Testing Methods

There are a variety of pen testing methods that can be used, some of which include;

External testing

This is where the pen tester will target public-facing servers, applications, websites, and data. This includes email accounts and cloud storage containers.

Internal testing

This is where the pen tester assumes the position of a malicious or negligent employee. They will try as many ways as possible to either escalate their privileges or expose sensitive data.

Blind/double-blind testing

In a blind test, the tester will have limited knowledge of the system they are required to attack. Typically, they will only be given the name of the organization. With double-blind testing, the security team won’t be given any prior notice of the attack.

Targeted testing

Unlike blind and double-blind testing, targeted testing is where both the pen tester and the security team work together, keeping each other informed about what they are doing so that they can monitor the effectiveness of both their security controls and their pen testing efforts.

If you’d like to see how the Lepide Data Security Platform can add context to and improve your pen testing, schedule a demo with one of our engineers or start your free trial today.