Conducting a successful penetration test is a challenge for even the most experienced tester. It involves much more than simply running tools and probing systems. Rather, it requires a lot of skill and experience, as testers need to know what vulnerabilities to look for, where to find them and how to exploit them.
However, penetration testing isn’t a dark art. All testers should follow a series of steps to guide them through the process, which we’ve outlined here.
- Approval and scope
You’ll obviously need formal approval from the organisation to conduct a penetration test. The process essentially involves mimicking an actual cyber attack, so whether you’re an internal or external tester, senior staff wouldn’t be pleased to hear that you’ve taken it upon yourself to probe their organisation, even if you assure them that you’ve identified serious vulnerabilities that can be easily resolved.
The approval process involves a lot more than being given the green light for testing. It should involve a discussion between the testers and senior staff, laying out which parts of the organisation’s systems are to be tested. There are four options:
- Network penetration testing
- Web application penetration testing
- Wireless penetration testing
- Simulated phishing
These discussions should lead to documented agreements on the scope of the test, including the rules of engagement. This describes what the testing team is and isn’t allowed to do, and protects the testing team if any problems arise during their work.
- Decide how the test will be conducted
Penetration tests can be conducted in a number of ways:
- Zero knowledge testing: the testers are given only the essential information about their target. It replicates scenarios in which attackers don’t have inside knowledge of the organisation, forcing them to seek out information from publicly available sources, such as social media and the organisation’s website.
- Partial knowledge testing: the testers are given some information about the target’s systems, IP addresses, network configurations, physical locations and any other relevant details. This is the most common type of test conducted by external parties, and is often the most economical and effective.
- Full knowledge testing: the testers are given as much information as they wish. This usually only occurs for internal testers performing regular assessments of their organisation’s systems.
- Blind testing: the test is conducted without the knowledge of the organisation’s administrators. This allows the testers to assess whether admin staff detect the intrusion and to monitor their responses.
- Double blind testing: neither the security team nor the administrators are told about the penetration test.
- Select your team
You’ll probably have a team of testers, each of whom will have their own areas of expertise. Using whatever knowledge you have about the target and the scale of the test, you’ll have to decide who’ll be most suitable for the job.
Tests should always be conducted in conditions that resemble the real world as much as possible. However, exceptions will sometimes be necessary for the sake of convenience. Some testing teams will ask the client organisation to open certain firewall ports or enable particular services. Others might want to place someone inside the organisation who can monitor the test and enable the team to react quickly if business operations are affected.
The tools you use should be based on the type of test. Sometimes you’ll need to penetrate the organisation discreetly, which will require subtle, under-the-radar tools and techniques. Other times, the main objective will be to work as quickly as possible, which often requires powerful, noticeable tools.
With the right tools, team and plan in place, you are ready to begin testing.
Learn more about penetration testing
The advice in this blog is based on an excerpt from our June book of the month: Penetration Testing – Protecting Networks and Systems, by Kevin M. Henry.
Henry’s guide to penetration testing provides essential information on “the thoughts, motivations and actions of an attacker against an organisation or individual, so that each of us can better defend our systems, our intellectual property and our values”.