What is penetration testing?
Penetration testing is a process that simulates cyber attacks on one’s own system. This controlled attack gives developers, IT operations and security departments an insight into system security.
Penetration testing (or pentesting or pen testing for short) is a process that simulates a cyber attack against one’s own system. The aim of this controlled and monitored attack is to collect as much data as possible and to uncover security weaknesses.
Penetration testing does not refer to a predefined process to simulate this attack, but is rather an umbrella term to summarize different practical attack methods. In addition, the pen test should be separated from a vulnerability assessment, as the latter is primarily a scan and an assessment of the security mechanisms.
In contrast, a penetration test actually carries out the attack under observed framework conditions. Ethical hacking is closely related to the term pen test; after all, penetration testing is also an ethically carried out hack. This differs again from hacktivism and white hat hacks in that the agreement entered into between the company and the attacker beforehand.
Of course, a pen test can also be carried out in-house. In many countries (including the entire DACH region) penetration testing is only legal if the testing and performing parties have precisely defined and approved the test.
What does penetration testing look like in practice?
In order to enable secure penetration testing in practice, to extract usable data from an attack and to ensure that the network is not endangered and an unintentional DoS occurs, different levels of the pen test should be adhered to.
Education and planning
In the first step of a pen test, it is determined which system or systems will be attacked for the test and to what extent the attacks will take place. Here, too, not only technical, but also legal questions arise, as companies may only approve pen tests for their own networks or systems.
On the technical side, hackers have to obtain relevant information about the specified systems, develop an understanding of how the system works and exploit potential weak points.
Scans and examinations
As a result, static and dynamic analyzes are used to examine the code and how it works in real time. The static code analysis gives a theoretical insight, the dynamic analysis is more detailed because it reflects the actual status in operation.
Through the use of back doors, web applications, cross-site scripting or SQL injection, weak points are now to be identified. These are then used to intercept traffic, access data and extend user privileges. This step creates a more precise picture of how much damage hackers could actually do with knowledge of the vulnerabilities.
In contrast to one-time access, this test step is intended to precisely check whether access can be maintained and how deep security gaps actually go. This is intended to simulate Advanced Persistent Threats (APTs), which in practice can tap into company data for months and steal even the most sensitive information.
Ultimately, the data has to be compiled to determine which loopholes have been exploited, which data has been accessed and how long the access could be maintained.
Special features in penetration testing
The simulation of a cyber attack follows its own rules and the simulation also includes different parameters in the pen test. For example, the attack can take place externally, i.e. as a cyber attack on externally visible parts of a system, or internally, as a simulation of a malicious employee or access data stolen by phishing.
The security departments can also be involved in different ways: With a targeted test, IT security knows about the simulated attack and can coordinate and train itself. In a blind test, IT security only has knowledge of the company that is the goal of the pen test; a double-blind test takes place without any prior warning.
A special sub-category of penetration testing that should not go unmentioned here is physical access. Although this does not apply to all companies, in many companies the easiest access to the IT infrastructure is via access to the building and by stealing passwords and accesses.
Many companies therefore have a legitimate interest in having their security analyzed using a physical penetration test. After all, what use is a perfect system infrastructure if the server room is open and the VPN password is stuck on a note in the cafeteria?
In practice, good penetration testing is therefore like a fire alarm for systems. The pen test is used to test security mechanisms and research weaknesses, and the reaction of IT security can also be analyzed in real time. The result is not only more secure programs, but also recommendations for action for employees in order to make systems and networks more secure at all levels.