Testing

Penetration Testing

Barbara Ericson
29 Jan
8 min read

The digital world is rife with potential dangers. Cybercriminals and even bad actors within your organization have the potential to cause havoc, either by stealing data or bringing down your servers or aspects of existing web applications.

Even if your organization has digital security implemented (and it should), that security likely isn’t airtight. By leveraging penetration testing, you can discover any holes in the proverbial ship and fix them before an actual hacker takes advantage of unseen weaknesses.

Penetration Testing US Guide 2021

It’s important to know all about penetration testing and how to execute it for your organization.

With penetration testing, a cybersecurity expert can try to find and exploit any vulnerabilities in your computer systems before they have a negative effect on your organization. Think of penetration testing as simulated practice attacks made for your benefit.

Not sure how to implement penetration testing, or where to look for tools or professionals to do the job? This guide will break down everything you need to know.

Who Performs Penetration Tests?

test icon

Because penetration tests can be so complex and rigorous – and because their accuracy is of the utmost importance to your organization’s long-term security – it’s only a good idea to let qualified cybersecurity professionals perform penetration tests.

But beyond hiring or contracting a cybersecurity expert to perform penetration tests, you should prioritize individuals who don’t have any knowledge of how your system is secured.

Penetration testers who try to get into your system without any prior knowledge can potentially expose some blind spots that may have been missed by your security developers.

Most organizations, therefore, usually bring in outside contractors to perform penetration tests. Another term for these professionals is “ethical hacker” – their job is to ethically hack into a system to increase its future security.

Ethical hackers will utilize penetration testing tools and various strategies to maximize their effectiveness and to make sure they don’t miss anything simple. Many ethical hackers are reformed criminal hackers who use their hacking expertise for good rather than for negative impact.

In a pinch, your organization can use someone in-house to perform a penetration test. But be aware that this will likely be less effective than if you hired an outside contractor.

Penetration Test Strategies

Effective penetration testing doesn’t mean trying to break into your organization’s computer system in a single way.

In fact, effective penetration testers will utilize multiple strategies to bombard your computer system’s security as surprisingly as possible. In theory, this will help your system to be more secure in the future.

Targeted Testing

target icon

Targeted penetration testing is one such strategy. With this strategy, everyone can see the test as it’s carried out and as the results come in. Targeted testing usually involves specifically checking one aspect of a system’s security, such as its firewall.

External Testing

External testing involves targeting a computer system's externally visible devices and services, such as firewalls, web servers, and domain name servers. The goal of this strategy is to determine if an outside hacker can get into your system and if so, how far they can penetrate once a breach is made.

Internal Testing

Internal testing is the counterpart strategy to external testing. It mimics an internal attack behind your system’s firewall.

The penetration tester will carry out the attack pretending to be an authorized user with certain access privileges. It’s a good test to see how a disgruntled employee or bad actor can affect your organization should they decide to cause trouble.

Blind Testing

Blind penetration testing is the opposite of targeted testing in many ways. It limits the information given to the penetration tester, allowing them to try to penetrate the target system with as much freedom and flexibility as they desire.

It takes more time and can be expensive, particularly since the ethical hacker in question has to spend a lot of time with reconnaissance.

Double-Blind Testing

Double-blind testing is even more effective but it can also be expensive as well. Both the system’s team and the ethical hacker will not be aware of the details of the penetration test or the system’s configurations, respectively.

As a result, it’s one of the closest types of tests to a real cyber-attack. It’s a good strategy if you want to see how well your organization responds to penetration alarms.

Black Box Testing

black box testing icon

Black box testing is very similar to blind penetration testing.

But with this strategy, the tester will receive no information about the target system before the test occurs.

White Box Testing

White box penetration testing does give the penetration testers in question more information about the target network, like protocols used, chunks of source code, or IP addresses. This may allow their simulated attacks to be even more effective.

Penetration Testing as a Service

Lastly, some services provide penetration testing is a service. This strategy allows IT professionals to conduct and act upon continuous penetration tests to help secure computer systems in the event of a large-scale, ongoing attack.

Penetration Testing Stages

testing icon

No two penetration tests should be alike to maintain maximum variability and an element of surprise for your response team. But practically all penetration tests will proceed along a few major stages.

You can use these stages to monitor your progress and make sure that you set up a good penetration test for your organization.

Planning and Reconnaissance

The first stage is planning and reconnaissance. Its key objectives involve:

  • Defining the goals and scope of a given penetration test
  • Naming the systems to be tested
  • Identifying and agreeing upon the methods to be used during the test
  • Gathering any required intelligence for the tester so they can understand the target and its vulnerabilities (if applicable to the testing strategy)

A penetration test will be more likely to be successful if it is planned well beforehand.

Scanning

Next, the penetration tester will scan the target application and try to figure out how it may respond to certain intrusion attempts. A penetration tester might:

Gaining Access

Once enough information has been obtained, a penetration tester will leverage various attacks to figure out target vulnerabilities and try to get access to the target server or web application.

They may use attacks like SQL injections, backdoors, and cross-site scripting, alongside other hacking techniques and strategies, to get the job done. Once a vulnerability is discovered, the hacker will try to exploit it as effectively as possible.

Examples of exploiting access breaches include:

  • Escalating account privileges
  • Intercepting legitimate or fake business traffic
  • Stealing data

Specific goals or fake damage to be wrought might be agreed upon during the planning stage of the test.

Maintaining Access

access

After gaining access to a target system or application, the hacker will try to see if the vulnerability can be leveraged to keep a persistent point of access in the system.

In this stage, the ethical hacker will try to imitate more advanced or persistent cyber threats that can stay in a system for months on end in order to steal sensitive data or to remain undetected.

Security teams for an organization may try to uncover their ethical hacker during this stage as well.

Analysis

After the penetration test is totally complete, your organization must still analyze the results. Test results are usually compiled into reports that include:

  • A list of the vulnerabilities that were discovered or exploited
  • A breakdown of any data or other digital value that was compromised
  • How long the penetration tester was able to stay in your system

An in-depth analysis is required so your organization’s IT security team can take what was learned and incorporate it into future security strategies and solutions.

Penetration Testing and Web Application Firewalls

waf icon
Waf icon

If web application firewalls exist, do you really need to leverage penetration testing for your organization?

Absolutely. Web application firewalls serve as the first line of defense against cyberattacks for your computer systems.

But firewalls can only be updated periodically and they do not actively look for vulnerabilities that might not be anticipated by your development team.

In contrast, penetration testing offers additional security information your team can leverage for better overall system security.

Benefits of Combining WAF and Pen Testing

Furthermore, web application security consists of penetration testing and web application firewalls which go hand-in-hand.

That’s because penetration tests often use firewall data, like logs, to determine weak spots in an application. WAF administrators can also benefit from the data provided by penetration testing. They can use the data broken down in the analysis report to improve their firewall against future threats.

Penetration Testing Tools

Most penetration testers will use various automated tools to discover vulnerabilities in target applications. Automated testing tools are leveraged since:

  • They can be used easily
  • They can be configured for different targets
  • They can scan systems quickly and efficiently
  • They can categorize different vulnerabilities, making for easier data analysis
  • They can run multiple attacks in rapid succession 

Furthermore, top penetration testing tools can perform advanced analyses, such as data encryption examination.

Where to Find Pen Testing Tools

Many ethical hackers and penetration testers will use open source or free software. That’s partially because many pen testers will adapt open source software for their specific needs or preferences. Examples include:

  • Nmap, which is an acronym short for network map or - a port scanner tool
  • Wireshark - good for assessing vulnerabilities in a system’s network traffic during real-time
  • Metasploit Project - multi-tool software suite
  • John the Ripper - a password cracking tool ideal for finding password related weaknesses

Analyzing Penetration Test Results

Any good penetration test report should include four major parts. This will ensure the conciseness and strategic value of a penetration test report. The four parts are:

An Executive Summary

Report writers should include an executive summary. This allows IT team leaders and company executives to get a brief summary of the report. The summary should help them when coming up with strategic directions or top-level goals to implement.

A Technical Risk Walkthrough

A penetration test report should include a technically accurate, in-depth, yet contextualized breakdown of all the technical risks discovered. The report should also include why those risks exist so that executives and IT security teams know what steps to take to correct those risks in the future.

A Breakdown of Potential Impact

Any vulnerabilities discovered should be elaborated upon so that organization members know what impact they might have on future business. This part of the report will help your organization determine if a vulnerability needs to be managed instantly or can be put off until the later patch.

Remediation Options

Lastly, a good penetration testing report should include a few remediation options or suggestions. Think of these as jumpstarting locations for your security team that they can use to begin working on fixes for big vulnerabilities ASAP.

Penetration Test Top Tips

Penetration testing is vital. To make sure all of your tests go smoothly, remember to keep the following tips in mind.

Anticipate Any Common Threats

Your system probably has a few likely threats you’re already anticipating. Make sure that you mentioned these to your penetration tester so they can leverage such attacks to see how your business would fare under a “real” attack.

Don’t Overblow Your Expectations

While penetration tests can be valuable, remember that they can’t catch everything.

Instead of expecting your penetration tester to find every potential vulnerability in your network, have them target specific things you believe are most worth discovering or certain threats you think you should secure against.

Plan for Flaws

Never start a penetration test and expect your application or servers to be found invulnerable. In fact, a good penetration test should find at least a few areas where you can improve. Maintaining this kind of positive attitude will help you make the most of your upcoming test.

FAQ

What Is the Best Penetration Testing Tool?

The best penetration testing tools are the ones your ethical hacker are most comfortable with. Still, be sure to ask them what tools they’re using so you can add to your own knowledge and so you can tweak the parameters or requirements of your test accordingly.

Why Do We Need Penetration Testing?

Penetration testing is necessary because the digital world is more dangerous than ever before.

Even the most supposedly secure systems are likely vulnerable to a number of digital threats and breach points. Finding these potential threats before they actually affect your organization is proactive and can save you money and your organization’s reputation in the long run.

How Is Penetration Testing Done?

Penetration testing is done by hiring an outside contractor to purposefully attempt to gain access to your system, network, or web application. Typically, it’s a good idea to have a penetration tester try to break in through specific methods or through specific points to test available system defenses.

But it may also be worthwhile to have your tester attempt a blind intrusion to catch any vulnerabilities your development team missed.

Conclusion

All in all, pen testing is incredibly important for modern organizations.

You should prioritize hiring an ethical hacker from outside your company ASAP to provide in-depth, effective penetration testing to bolster your defenses and catch security flaws before they become a real issue. 


Barbara Ericson
A longtime open source contributor, with extensive experience in DevOps principles and practices. Barbara is especially interested in helping IT businesses and organizations implement DevOps, cloud-native technologies, and open source.