Penetration testing or pen-testing refers to the act of simulating the hacking methodologies on an information system in a controlled environment to identify and rectify the vulnerabilities before they are exposed to the real world. The people carrying out this activity are known as penetration testers. In addition to identifying the vulnerabilities, penetration testing also helps identify the loopholes in the security policies for a system at various levels and compliance adherence to the established policies.
Although it is good to have a periodic round of penetration testing of the system, it becomes necessary once there is:
- A network configuration change
- A major application-level change
- A change in the infrastructure
- Environment upgrade
- Policy update
- Third-party system integration
The penetration testing process, in order to be effective, is properly planned and documented before the actual execution. Some important phases in penetration testing include:
Target system identification: This includes the identification of the information systems that require to undergo the process of penetration testing.
Attack surface identification: This deals with identifying the scope of testing. It will include the modules of the system which need to be tested and the environment the testing is to be carried within.
Strategy determination: This caters to identifying the kind of testing that is required. There might be a need for non-destructive techniques or the system might need destructive testing. This basically lays down the strategies of testing that will be allowed for an environment.
Tools: Identification and approval of tools to be used in the process. It is essential to get the tools and usage plan approved prior to actually using them. This is mainly because the tools tend to be destructive in nature and need to be handled by the team expertly and the system owner needs to be aware of any risks. There are a lot of standard tools in the market and open source that makes it really easy to identify standard system vulnerabilities. Some of these tools include Metasploit, Netsparker, Probely, Nmap, Wireshark, and so on.
Schedule: This refers to creating a test plan schedule. This not only helps the tester with a timeline but also provides information on the state and requirements to the information system stakeholders.
Deliverables: It is important to agree upon the success criteria and the final deliverables that are expected and required by the system owners. A clear understanding of this saves resources and this should be done prior to actually starting the testing.
Approvals: Once the test plan is ready and the execution path is clear, approvals must be sought from the system owners for the activities. This helps in clearing any misunderstanding and whatever risks might be involved in the process for the system can be made clear at this point.
Execution: This phase is the actual execution of the test plan. This often involves the use of automated tools that are calibrated for standard vulnerabilities.
Reporting: Once the test plan is executed, the results need to be documented in a standard format that is agreed upon. The report must include all the tests performed, their results, probable risk impact on the system, and any other findings.
While there is a very fine line between a penetration tester and an ethical hacker, the end result is often the same: pre-emptive identification of vulnerabilities to prevent real-world damage.
Hope this was helpful.