Security 101

Penetration Testing

So what exactly is Penetration Testing?

So what exactly is
Penetration Testing?

You have probably heard the term Penetration Testing thrown around in security conversations, or seen it listed in a compliance requirements list, but what exactly is a penetration test? The short answer is this: A penetration test is an attempt by a team of security engineers, using a variety of tools, to test a computer network and identify weaknesses.

The long answer is a little more complex. The goal of a penetration test is to see just how vulnerable your network and systems are to attack. While this may seem straightforward,  no two networks are the same, which means no two penetration tests are the same.

What is involved in a
Penetration test?

While each security engineer, team or company has their own distinct methods to test the security of a computer network, most testing involves some of the same steps.

Initial Scoping and Agreements

Defining exactly what the security engineers or ‘Red Team’ will be testing is critical. Defining the limits of the tests, the timeframes and getting proper contracts in place is critical.

Reconnaissance & Scanning

Most penetration testing starts with some semi-automated scanning of an environment, either external or internal (whatever is defined in the scope). This helps the Red Team identify potential vulnerabilities to exploit for access.

Social Engineering

Not all penetration tests involve a social engineering step, but when they do, the often provide excellent insight into the security readiness of a company and its employees. During social engineering, the Red Team will use phone calls, emails and even site visits to attempt to gain access to a network by asking employees for credentials or assistance.

Human Intervention / Gaining Access

Once the Red Team has completed the reconnaissance phase and possibly a social engineering phase, they will attempt to gain access to the system or network using the vulnerabilities they have found. They may exploit unpatched servers, or weak passwords or just login using user credentials they gained during the social engineering efforts.

Collection of Evidence

Once a network has been penetrated, they will move laterally to collect as much data as possible, working to identify what vulnerabilities and weaknesses they can exploit and to see how much data they can gather.

Reporting

The most important and final phase of the project is always the reporting. This is where the Red Team engineers document their findings, and propose solutions on how to secure the network to better protect against attacks.

Whats the difference between A Vulnerability Scan and a
Penetration Test?

People confuse Penetration Testing with Vulnerability Scanning more than any other two terms in security, and it’s usually not their fault. Security vendors and scanning companies often interchange the two either accidentally, or to confuse customers into buying products they don’t need.

Here is our short answer: Penetration testing involves a knowledgable security engineer to conduct the testing and actively work towards exploiting a network, just like a real hacker. Vulnerability Scanning is typically performed by an automated tool to test a set of IP addresses for known vulnerabilities, such as out of date software or mis-configured firewall settings.

Most penetration testing efforts will include some level of vulnerability scanning. Red Teams often use automated vulnerability scanners to help identify weaknesses in a network and decide where to focus their efforts.

How do I get Started?

The best place to start, is to determine exactly what you need. Are you performing the tests to meet some compliance requirements, such as PCI-DSS or NIST 800-53? Determine exactly what your compliance requirements are, and outline what type of testing you will need.

Your next step is to gather some scoping details about what exactly you need to have tested. Are you just testing your internal corporate network, or just your cloud hosting environment? Put together an inventory of the environment, network or application you need to have tested. This will help you get an idea of the scale of the testing efforts, and what exactly will be tested.

Next step is to find a testing partner. Not every penetration testing company is equal. Be sure to ask potential vendors how they perform their penetration testing. Ask them if they produce only automated results, or if they take the time to build custom reports discussing your results in depth. Some companies simply enter your details into an automated testing system and pound away to produce a report. While this approach might be inexpensive, automated tests usually can’t replicate the real world intelligence of a human attacker. Selecting a vendor that can produce results to meet your compliance needs, while also giving you real security insights is important. When it comes to securing your network and company, you usually get what you pay for.

Adsero Security offers a full range of Penetration Testing services to meet your compliance and security requirements. Contact us today and we can find a testing solution to meet any budget and requirements.