Categories Topics
Description
Penetration Testing

Overview
A Penetration Test (also known as "Pentest") is the process of testing the effectiveness of an organization's security controls by simulating an "attack" from malicious outsiders or insiders. An organization will usually hire an independent company to analyze the organization's networks, applications, systems and procedures to find and exploit vulnerabilities, as a potential attacker would. The weaknesses found and potential impact, along with recommended mitigating controls to prevent such attacks in the future, would then be reported to the organization to improve overall security.

Guidelines
Pentests should be part of the organization's overall information security program and audit process and performed at least annually. Organizations should hire Penetration testers after approval of executive management and without the knowledge of system and application owners. Such tests should be performed with an element of surprise to test effectiveness of the organization's procedures to respond to and thwart an attack, similar to what may happen in the real world.

The primary objective is to find vulnerabilities and report them to security management team as well as to provide some assurance to management that defenses cannot be penetrated by a malicious attacker.   Pentests can be planned by providing the Pentest company with little or no information on the organization or controls (sometimes called "blackbox" testing). Alternatively, organizations can choose to give the Pentester more details to include network diagrams, system configurations, source code, etc. with a simulation of an insider attack or "data leakage" to an outsider (or "whitebox" testing).

Some Pentest examples should include the following use cases, at minimum:
  • Perform application scans of critical internet facing web applications for vulnerabilities
  • Test for network security weaknesses (e.g. scan for misconfigured wireless access points and devices, networks that allow non-authorized devices to connect)
  • Social engineering attacks (e.g. attempting to take advantage of weak identity and access controls, like help desk password resets)
  • Physical access (e.g. test lax security desk controls, access points, emergency doors or side entrances, etc.)
  • Scan for internal system vulnerabilities (e.g. insecure protocols being used that expose credentials in clear text, unpatched systems that can be exploited for unauthorized access, privilege escalation of accounts)
  • Data Loss Prevention (e.g. attempting to remove data via removable media, external drives, etc.)
Pentests can also be used to provide assurance that security controls are being improved year to year to show how the organization is improving their security program to protect critical data. For example, for new organizations just starting out, Pentests may expose a higher number of vulnerabilities that provide justification to prioritize and implement security controls using a risk-based approach. As each subsequent Pentest is completed, the organization should show improvement and demonstrate how previous gaps exposed were remediated.

Topic Category
Information Security Program
 
News Articles
Salesforce sacks two top security engineers for their DEF CON talkwww.theregister.co.uk8/10/2017
Meet MailSniper, a tool to search Microsoft Exchange emails for sensitive infowww.networkworld.com9/26/2016
How often should you conduct penetration testing?www.zdnet.com8/4/2014
Hacking Your Way Through Airports and Hotelswww.tripwire.com11/14/2013
Enterprise giant SAP's systems take a probe to the wobbly bits - reportwww.theregister.co.uk11/13/2013
Blighty's banks prep for repeated kicks to cyber-'nads in Operation Waking Shark IIwww.theregister.co.uk11/11/2013
Fake femme fatale dupes IT guys at US government agencynakedsecurity.sophos.com11/3/2013
Cisco launches open-source tool for penetration testerswww.zdnet.com9/25/2013
Jigsaw Pen-Testing Tool Spotted in Attacksthreatpost.com8/19/2013
Hacking 101: Metasploit, cross-site scripting, and SQL injectionwww.zdnet.com6/4/2013
How Facebook Prepared to Be Hackedthreatpost.com3/8/2013
Companies House website security 'a bit of a mess'www.theregister.co.uk11/28/2012