[Secure 101] What is Penetration Testing (pen testing)? How It Conducted?

[Secure 101] What is Penetration Testing (pen testing)? How It Conducted?

Penetration Testing (or pen testing) is a mechanism used to verify whether network defenses are functioning as expected. This test simulates the behavior of hackers and malicious users attempting to breach a company’s website, information systems, or devices, and analyzes the target's risk level to assess whether security measures need enhancement. The ultimate goal is to identify and rectify security vulnerabilities before a real attack occurs.

Differences between Vulnerability/Source Code Scanning and Penetration Testing

Vulnerability and source code scanning are performed by automated scanning software. They are cost-effective and quick to execute but can only detect existing vulnerabilities, such as security issues in programming syntax.

Penetration testing, on the other hand, simulates hacker attacks through a combination of tactics to verify whether defenses can be breached. It is more costly but can detect the latest security vulnerabilities in real-time and provide recommendations for remediation. Therefore, penetration testing is more expensive and requires longer preparation.

Types of Penetration Testing

The following types are provided by Cloudflare:

  • Open-box Pen Test: In an open test, hackers will be given some information about the target company’s security in advance.

  • Closed-box Pen Test: Also known as a "single-blind" test, in this scenario, hackers receive no background information other than the target company’s name.

  • Covert Pen Test: Also called a "double-blind" penetration test, in this situation, almost no one in the company is aware that a penetration test is being conducted, including IT and security professionals who would respond to an attack. In covert tests, hackers must clearly define the scope and other details of the test in writing beforehand to avoid legal issues.

  • External Pen Test: In an external test, ethical hackers attempt to breach the company’s external technology, such as its website and external network servers. In some cases, hackers may not even enter the company’s building. This could mean they conduct attacks remotely or from a truck or van parked nearby.

  • Internal Pen Test: In an internal test, ethical hackers perform tests from within the company’s internal network. This type of test can determine how much damage a disgruntled employee might cause from behind the company firewall.

Preparation Before Pen Testing

Before conducting penetration testing, it’s common to perform a "vulnerability scan" or "source code scan" and preemptively fix visible vulnerabilities before conducting a simulated penetration to verify if these known vulnerabilities can be exploited for an intrusion.

Additionally, since penetration testing is a form of "vulnerability probing" and involves intrusion into company property, unauthorized penetration testing may be illegal in many countries. Therefore, it is crucial to agree on the test targets (website or host) with the vendor and sign a contract and consent form to avoid legal disputes.

Pen Testing Process

The process of penetration testing includes:

  1. Project Requirements Confirmation: Confirm the testing requirements and sign legal authorization, an essential step to ensure the tester's actions are legal.

  2. Preparation Phase: Confirm the testing methods, scope, and time, and gather publicly available information about the target.

  3. Information Gathering: Develop strategies, gather data, and analyze information according to the OSSYMM framework.

  4. Data Analysis and Vulnerability Scanning: Use OWASP standards to perform risk scanning, pre-emptively eliminating known issues.

  5. Target Penetration: Execute actual penetration actions to attempt to breach the system.

  6. Vulnerability Reporting: After testing, write a report detailing various vulnerabilities and remediation recommendations.

After obtaining the report, the operations team will follow the report’s content to patch the system. Finally, according to the contract, discussions may be held to determine whether retesting is necessary.

Standard Items in Pen Testing

Currently, there is no unified mandatory standard for penetration testing, but tests are usually conducted following public security testing items like OWASP Top 10. Here, we provide three mainstream testing standards: OWASP, OSSTMM, and SANS.

OWASP Top 10

The Open Web Application Security Project (OWASP) is an international non-profit organization dedicated to web application security. All of their materials are freely available and easily accessible on their website, enabling anyone to improve their web application security.

The OWASP Top 10 is one of the most widely adopted security checklists globally, with the latest version being OWASP Top 10 2021.

  • A01:2021 - Broken Access Control

  • A02:2021 - Cryptographic Failures

  • A03:2021 - Injection

  • A04:2021 - Insecure Design

  • A05:2021 - Security Misconfiguration

  • A06:2021 - Vulnerable and Outdated Components

  • A07:2021 - Identification and Authentication Failures

  • A08:2021 - Software and Data Integrity Failures

  • A09:2021 - Security Logging and Monitoring Failures

  • A10:2021 - Server-Side Request Forgery (SSRF)

OSSTMM

The Open Source Security Testing Methodology Manual (OSSTMM) is a comprehensive framework covering areas such as vulnerability scanning, penetration testing, and social engineering. Below are the items listed under the Information Security Testing category:

  • Footprinting: Identify and gather publicly available information about the target system or network.

  • Scanning: Use tools and techniques to identify open ports, services, and vulnerabilities in the target system.

  • Enumeration: Obtain detailed information about the internal structure of the target system or network, such as usernames, system names, and shared resources.

  • Vulnerability Assessment: Analyze known vulnerabilities in the system and assess their potential impact.

  • Exploitation: Attempt to exploit identified vulnerabilities to gain unauthorized access to the system.

  • Post-Exploitation: After gaining system access, further explore and exploit other system resources or data.

  • Reporting: Summarize the penetration test results, providing vulnerability descriptions and remediation recommendations.

SANS Top 20

The SANS 20 Security Controls, published by the Center for Strategic and International Studies (CSIS), are prioritized mitigation measures that can help improve cybersecurity. They include a set of 20 components to help you address common attack vectors and fix potential vulnerabilities.

  • CSC 1: Inventory of Authorized and Unauthorized Devices

  • CSC 2: Inventory of Authorized and Unauthorized Software

  • CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

  • CSC 4: Continuous Vulnerability Assessment and Remediation

  • CSC 5: Controlled Use of Administrative Privileges

  • CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs

  • CSC 7: Email and Web Browser Protections

  • CSC 8: Malware Defenses

  • CSC 9: Limitation and Control of Network Ports, Protocols, and Services

  • CSC 10: Data Recovery Capability

  • CSC 11: Secure Configurations for Network Devices, such as Firewalls, Routers, and Switches

  • CSC 12: Boundary Defense

  • CSC 13: Data Protection

  • CSC 14: Controlled Access Based on the Need to Know

  • CSC 15: Wireless Access Control

  • CSC 16: Account Monitoring and Control

  • CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps

  • CSC 18: Application Software Security

  • CSC 19: Incident Response and Management

  • CSC 20: Penetration Tests and Red Team Exercises