What is a Penetration Test?
A Penetration test, or pen test, is the process an ethical hacker conducts on a target and the IT environment to uncover vulnerabilities by exploiting them. The goal is to gain unauthorized access through exploitation which can be used to emulate the intent of a malicious hacker. Penetration test reports may also assess potential impacts on the organization and suggest countermeasures to reduce risk.
Pen tester or ethical hacker is trying to do what a blackhat or malicious hacker would try to do to breach a system, machine, server or break security controls in order to steal sensitive information or somehow damage the organization.
Phases of a Penetration Test
A Penetration Test is often broken down into the following phases:
- Threat Modeling and Vulnerability Identification
- Exploitation (gaining access)
- Post-exploitation (maintaining access)
- Covering tracks
- Resolution & Re-Testing
A pen test is often initiated by a variety of changes in an IT environment including application launches, major network/application changes or updates, compliance regulations or a breach/leak from a targeted attack. Again, the end goal of an ethical hacker is to gain unauthorized access to a system by means of exploiting vulnerabilities or gaps in security processes.
What are the Different Types of Penetration Testing?
Pen testing is often based on the level of knowledge and access given to the pen tester for very specific reasons. The range runs from black-box testing, where the tester is given minimal knowledge of the target system(s), to white-box testing, where the tester is granted a high level of knowledge and access. There are benefits to each type of testing which we will address.
In a black-box scenario, the penetration tester is placed in the role of a true hacker, with no internal knowledge of the target system. Testers are not provided with any architecture diagrams or source code that is not publicly available. A black-box penetration test determines the vulnerabilities in a system that are exploitable from outside the network.
Black-box penetration testing relies on the skill of the ethical hacker and their analysis of currently running programs and systems within the target network. Black-box penetration testers are typically highly skilled must be familiar with automated scanning tools such as nmap and Metasploit and methodologies for manual penetration testing.
If a black-box tester is examining a system from an outsider’s perspective, a gray-box tester has the access and knowledge level of a high-level employee, often with elevated privileges on priority systems. Gray-box pen testers typically have some knowledge of a network’s internals, potentially including design and architecture documentation and an account internal to the network.
The purpose of Gray-box pen testing is to provide a more focused and efficient assessment of a network’s security than a black-box assessment. Leveraging the design document for the network a Gray-box pen tester can focus their attention on the systems with the greatest risk and value from the start, rather than spending time determining this information on their own. In addition, with legitimate access to systems testing of security inside the hardened perimeter simulates an attacker with longer-term access to the network.
White-box testing falls on the opposite end of the range from black-box testing; penetration testers are given full access to source code, architecture documentation and other information about the environment and systems. The main challenge with white-box testing is sifting through the massive amount of data available to identify potential points of weakness, making it the most time-consuming type of penetration testing.
Unlike black-box and gray-box testing, white-box penetration testers are able to perform static code analysis, making familiarity with source code analyzers, debuggers, and similar tools important for this type of testing.
White-box penetration testing provides a comprehensive assessment of both internal and external vulnerabilities, making it the best choice for calculation testing. One of the key benefits of this type of testing is to find coding errors in the early stages of software development.