What is Penetration Testing? and the different characteristics.

Penetration testing is the next level up after a vulnerability assessment and is the process by which you find out how the systems really behave.  You will likely extend your analysis of the exposed vulnerabilities from the vulnerability assessment and search for more undetected vulnerabilities.

Penetration Testing Definition

Penetration tests are “the use of exploitive techniques to determine the level of risk associated with a vulnerability or collection of vulnerabilities”.  Purely and simply it is the process of performing an attack against your own systems to see how far you get and how severe that really is.  Being friendly fire there are rules by which you must adhere to prevent the attempted systems breach from causing problems.  Most obviously DDOS attacks must not get to the point where the ethical hacker disrupts a service in a live environment.

Characteristics of Penetration Testing

Ethical Hackers most typically perform penetration tests against the perimeter of the network from the outside.  This is because of a few factors; traditionally the focus of security has been to secure the perimeter and have a controlled environment on the inside.

Penetration testing is time consuming and thereby expensive. Finally, because the potential number of attackers is far greater in the big wide world than on the inside of an organisation.  The only one of these that remains particularly valid is the time and expense. 

With the influx of BYOD, the multitude of platforms demanded by users (if for no other reason than as “corporate bling”) and the relative strength of today’s perimeters internal penetration testing is perhaps more important than ever.

The Three Types of Pen Testing Team:

• Glass box
  • The attacking team is given full information about the network internally and externally and services
  • Cheapest as can make logical leaps without laborious discovery processes
  • Potentially more in depth as does not rely on what a particular team can discover
  • Does not show how systems and staff respond to probing etc
  • Internal staff are expecting the attack
• Black box (a.k.a Blind Testing)
  • The attacking team is given high level details usually restricted to relatively obvious (external surface) information
  • Cheaper than “No box” as shorter but does require discovery processes once past the basics
  • Much more realistic so shows system responses to probing etc
  • Shows what can be discovered, though must never be assumed as exhaustive
  • Internal staff are expecting the attack
• No box (a.k.a Double Blind)
  • The attacking team is given the name of the target
  • Potentially allows the attacking team to think outside the box a little more
  • Most expensive
  • As realistic as it can get
  • Internal staff are not expecting the attack – shows everything for how it really is

There are other types of the test as well such as DOS testing, Application Security Testing, War Dialling, Wireless Network Testing, Social Engineering, VOIP Testing.  These attacks are all much more focusing on a particular area. Therefore we can employ when a specific system or area might be at risk but where we do not understand exactly the extent of the risk.

Difference Between Penetration Testing and Real Attack

One of the main differences between a penetration test and a real attack is that in business it is important to be able to relay your findings, report back on your activities and perform within the allowed boundaries.  Real attacks do not have the same restrictions or reporting functions.  The motivations are very different and so the results are going to be different.

That said, penetration tests do need to have structure and reporting functions. So YGHT provides you with a good general methodology:

1. Reconnaissance / Discovery
2. Enumeration
3. Vulnerability Analysis
4. Execution
5. Documentation

The above is fairly self-explanatory the one thing to note is that it is possible to adapt this as more of a water-fall method which maps out to each layer of defence in a known (or suspected) defence-in-depth type network.

YGHT provides Pen Test services