Penetration testing is kind of an… unfortunate name, but we’re stuck with it. Penetration testing (or “pen testing” for short) is an authorized attempt to find and exploit computer systems. Why would someone want such a thing? The idea is to have the “good guys” find flaws (so that they can be fixed) before the “bad guys” find them.
The goal of penetration testing (aka why a company would pay for such a service) is to:
- Simulate an attack by malicious hackers
- Determine the extent of the system’s vulnerabilities and provide proof-of-concept attacks of those vulnerabilities
- Based on those findings, make recommendations for fixing the issues found in the test
A Penetration Test by any other name…
Either out of convenience (fewer letters) or immaturity (giggling at “penetration” is very middle school), there are a number of other names for penetration testing, like:
- Pen testing
- “White hat” hacking
- Red teaming
- Ethical hacking
White Hat / Black Hat
The mention of “white hat” might make you wonder… are there other hat colors? (yes) Are there other team colors? (also yes).
While ethics in tech aren’t typically so cut-and-dry, hackers are often grouped into “white hat,” “gray hat” and “black hat.”
While there isn’t necessarily much difference in the techniques or tools that the different groups use, the “white hat” end of the spectrum is the (more) legal side, and “black hat” is the definitely not legal side.
The difference legality is due to a difference in authorization. Pen testers or white hats are authorized (and paid) by companies to find vulnerabilities so that they can be fixed. The scope and goal of the tests are agreed upon beforehand.
Additionally, their motivations or intents likely differ. Pen testing is not meant for personal gain, and is instead meant to help the organization involved. Black hat hacking is not so altruistic, and might be motivated by money, revenge, fame, boredom… who knows. In any case, it isn’t the altruism (or lack thereof) that could jeopardize a career or freedom, it’s the legal aspect. So, pen testers should be careful to have proper authorization beforehand, and only practice on their own, personal, sandboxed systems.
Vulnerability assessments and penetration testing are two different things, although there seems to be some disagreement on this point. Engebretson argues that a vulnerability assessment is reviewing systems and services for potential issues, where as penetration testing actually involves finding and enacting proof-of-concept attacks.
Others argue that a vulnerability test is more of a “full scan” of systems, so that a client can have a full list of prioritized issues, and that a pen test is a specific, simulated attack for clients who feel that they’ve addressed issues that might be found in a vulnerability test. In other words, for clients who have reached their desired “security posture.” A vulnerability test would search for security issues in all parts of a system, whereas a pen test would only uncover issues related to a specific goal (for example, trying to gain access to a database of customer information).
Additionally, there is “overt” vs “covert” testing. “Overt” does not worry about stealth, but instead focuses on being thorough. “Covert” is more realistic (hopefully someone would be detected and stopped before evaluating an entire system) but will likely yield fewer found vulnerabilities.
Pen Testing Process
Depending on who you ask, there are different processes for pen testing. These processes aren’t super detailed, and instead, outline a general set of steps taken by the testers.
SecureWorks lists their general process as:
- Determination of scope
- Targeted information gathering or reconnaissance
- Exploit attempts for access and escalation
- Sensitive data collection testing
- Clean up and final reporting
In “The Basics of Hacking and Penetration Testing", Engebretson lists the general steps as:
- Post exploitation and maintaining access
- (there’s a 5th step left out of the book, which is “Covering your tracks”)
While there are undoubtedly many others, even the comparison of these two shows some general similarities.