Penetration testing, or “pentesting,” is one of those topics in cybersecurity which many people get confused about, even those people in the field. Pen testing has value, but organizations should know that it has a very different purpose than technical controls testing and vulnerability assessments. People often use these terms interchangeably, but they really shouldn’t. Ok, so what exactly is penetration testing, and when should you do it? How should you do it? Who should do it?
What a Penetration Test is (and what it isn’t)
A pentest is the deliberate exploitation of vulnerabilities on a target system by highly skilled testers to gain elevated access privileges. Pen tests simulate an attacker with a malicious purpose. For a pen test to be of any value, the testers must have one or more test objectives to focus the testing properly. Here is a breakdown of what this means.
All organizations have some level of cybersecurity risk. That risk takes the form of loss. It can be a loss of confidentiality, integrity, or availability of information. A pen test is an effective way to realistically (and safely) understand how likely such a loss is and what the impact could be if it did.
Pentest objectives are specific. They narrow the purpose of the test down to the particular types of loss the organization wishes to assess. The more specific the test objectives are, the more value the test provides. A typical test objective is to evaluate whether usernames and passwords of users can be stolen for a specific system and then used to access the user data. Financial services companies use tests along the lines of whether the tester can obtain unauthorized access to financial data (loss of confidentiality), change or redirect financial resources (loss of integrity), or render the system useless (loss of availability).
As explained above, pentests have specific objectives. The only way to achieve these objectives is to compromise a system actively by exploiting vulnerabilities or serious misconfigurations in the system.
When Should You Do a Penetration Test?
In many cases, decisions made to add more technical safeguards to an environment can be costly. To determine the cost vs. benefit tradeoff, you sometimes want the most realistic assessment of risk possible on how likely a system can be compromised and what the impact is if it happens. In the case of passive vulnerability assessments, no live attempt is made to penetrate a system, and any judgment of probability is just theoretical. A pentest yields actual results and can sometimes better inform costly decisions.
There is another very important value with pentests. The true risk of any given system being compromised involves an aggregation of all controls working together in a given environment. Looking at each vulnerability on its own, as when done in vulnerability assessments, will not lead to the most accurate picture of the risk. Pentesters must typically exploit a combination of vulnerabilities in order to achieve test objectives. Mission critical systems and highly complex applications can often benefit from pentests because they can yield better results when they have solid test objectives.
Some regulations, such as PCI DSS v3.0, have mandatory pentesting in their compliance requirements. Any organization requiring or wanting compliance with these regulations must have pentesting somewhere in its processes. They may not always get a choice in where and when to do these tests. Some places perform pentests even if not required to do so to get their value. An excellent secondary benefit of pentests is that they can demonstrate to others a higher commitment to the security of information and have a stronger security program for it.
Organizations with established pentesting programs with appropriately skilled individuals sometimes struggle to use these resources effectively. Creating an annual or semi-annual test plan can be an effective way to schedule resources. The target of the chosen tests can include those areas which the board or senior leadership need more input on due to risk, cost, etc. Sometimes pentests are scheduled automatically for any new or substantially upgraded applications facing the Internet which store or process sensitive data types.
Who Should Do Penetration Tests?
The ideal pentester will have three primary skill sets. The first is a broad, but solid background in operating systems, networking, databases, and web applications. The pentester must integrate knowledge in many areas of information technology in order to carry out their work. Penetrating a system and not being able to get to the data inside of a database due to lack of database expertise, for example, does not yield the best result.
The second skill set is a good understanding of the core technologies of the target system. If the target is a Java-based web application running on Windows Server, for example, somebody with primary expertise in compromising Linux systems and no background in Java may not be the best choice. If possible, a pentesting team should select its members based on the technologies being tested.
Lastly, a solid technical foundation is great, but the tester must know how to identify exploitable vulnerabilities and then compile and execute vulnerabilities. These vulnerabilities should include both those known to the public, as well as those previously unknown vulnerabilities discovered in the course of testing. The best pentesters are able to write custom exploits for vulnerabilities “on the fly” during the test.
As you can imagine, pentest professionals are understandably expensive due to their specialized background. Some organizations may be tempted to go the easier route and hire a lesser skilled team capable of doing little more than running some automated exploit tools available on the market. The lowest cost pentest might be all a company can afford, but the buyer should be aware the result is going to be vastly different than if they went after they can afford, but an organization wanting the best result will focus more on finding the right people. Focusing on quality ensures the best decisions are made based on the results of the pentest.