Penetration testing, also known as pentesting or ethical hacking, is an essential tool in building a defensive and offensive security strategy within a computer network. But what are they, exactly? What are the different types of tests? And to what extent are they essential?
What Is a Pentest?
A penetration test, or pentest, is an “acceptable” form of hacking, in the sense that these attacks are controlled, desired, and aim to evaluate the security of a computer system. A penetration test is not to be confused with a vulnerability assessment, which is purely theoretical: a penetration test is, in a nutshell, an attempt to hack into your systems, by actors authorised to do so.
Pentests fall into two broad categories: traditional — or manual — tests, and automated tests.
Are There Different Types of Manual Penetration Tests?
These pentests fall into three broad categories:Black Box Testing
Black box testing involves attacking a system or network without any prior knowledge of its composition. It is therefore the type of test that will most closely resemble a real attack by a malicious actor. These tests can identify exposed vulnerabilities, configuration errors, and even human weaknesses that can lead to the successful exploitation of a network, through social engineering. Although these tests are the closest to real world conditions, they have many disadvantages: since they are based on research and hypothesis-building, it is difficult to identify all the flaws that may be lurking in a network. They are also, by their exploratory nature, tests that can last several months, thus increasing their cost. Finally, the thoroughness of this type of penetration test depends even more on the expertise of the pentester, since the testing is done “blind”.
White Box Testing
The opposite of black box testing is white box testing. Here, the pentesters generally have access to a complete description of the network to be attacked, credentials to all parts of the network and, if applicable, the source code of the applications used within the network. This type of test is very complete, and saves a lot of time in simulating attacks. In a very short time, it is possible to use multiple attack vectors on each part of the network, or even to create a copy of the network to attack it without impacting the production network. These tests are more comprehensive and quicker, but sometimes lack objectivity, as some obvious flaws in the network could take precedence over more subtle vectors. You also need to have absolute confidence in your pentesters, who will have a complete mapping of your network as well as the “keys to the kingdom”. It should be noted that, although it remains rare, some security companies have had their networks infiltrated: IT security being a moving target, is never infallible!Grey Box Testing
This type of test combines aspects of the previous two types: the client gives the pentesters limited information about their network, typically connection information to a piece of network equipment. These tests typically simulate an “attack from within”, or an external attack by a trusted third party (who has, for example, been attacked themselves). This type of testing simulates what kind of access a privileged user could gain with login information you provide, and is just as important as a “blind” attack.Which Manual Test to Choose?
The main objective of a pentest is to identify, evaluate and protect possible attack vectors on a network, equipment or business tool. A black box test is the quickest to implement: testers only have to try to penetrate the system without any prior knowledge of the network. But these can miss important attack vectors; despite being quick to implement, a comprehensive black box test can be very time consuming, depending on the size of the target. White and grey box testing, on the other hand, greatly reduces the total attack time, but has the major disadvantage that testers, having knowledge of the network, may change their behaviour compared to a real attacker, and miss some attack vectors that might be easier to exploit.Automated Testing
There is also a whole group of technologies known as Breach and Attack Simulation (BAS), which make it possible to largely automate the work of searching for security vulnerabilities. These are relatively recent technologies; however, they allow a continuous evaluation of attack vectors, and are becoming an essential complement to a complete security policy, especially for companies subject to PCI-DSS and GDPR, where the response to an attack must be rapid, and the affected users notified within 72 hours. BAS provides, through thorough probing throughout a network, a comprehensive dashboard showing potential weaknesses in a network, and ways to remedy them. They are becoming invaluable tools in IT security monitoring and remediation, particularly in the context of PCI-DSS, where regular testing is required for continued certification.What Is the Purpose of Penetration Testing?
Manual penetration testing is an invaluable tool for assessing the security of a computer network or application at any given time. Coupled with automated tests, they form a passive and active line of defence to protect your data and that of your users. In 2020, around 15,000 new vulnerabilities were identified, across a wide range of applications. The top 30 vulnerabilities in the list are responsible for 98% of the damage to corporate networks and data. Moreover, the average time to remediate a vulnerability is over 200 days in 2021. Recently, an extremely easy-to-exploit flaw in an incredibly popular library, log4j, was discovered. The extent of the damage from the discovery of this flaw has not yet been assessed, although patches for it already exist. Log4j is included in a lot of software packages, and could very well be hidden deep within a business application you use, or appliances, tools, and software purchased from a third party. In this case, a pentest would allow you to identify the exploitable vectors in your network in order to patch them. New vulnerabilities are discovered every day, so this is a process that should be repeated regularly. If your company is subject to PCI-DSS, penetration testing is one of the security auditing requirements. A careful evaluation of the vulnerability vectors of a network allows you to better defend your network, in the face of a growing number of attacks every day. Our next article will discuss the importance of PCI-DSS, and how penetration testing is an essential part within its rules.
Sonema offers a complete range of automated and manual pentesting solutions. For more than 30 years, we have been providing our customers with tailored connectivity, hosting and security solutions, to meet their most demanding needs.
For more information, contact us.