PENETRATION TESTING – A SYSTEMATIC APPROACH INTRODUCTION: The basic idea behind writing this article was to put forward a systematic approach that needs to be followed to perform a successful penetration test. It has been written keeping in mind both, existing penetration testers as well as newcomers who want to make this field as a career. People responsible for maintaining security in an organization can refer to this and know what they can expect from such an exercise.
PENETRATION TEST – A BUSINESS PERSPECTIVE: The question most commonly asked by any organization is “Why would I ever need a penetration test?” after all it costs a lot of money in hiring an external consulting firm or to invest in expensive tools to perform a penetration test. You must realize that it is very important for any organization to justify the cost involved for such an activity. The important thing here that needs to be understood is that you may be successful in finding loads of vulnerabilities in any system, but unless those results are not analyzed thoroughly and a proper risk mitigation plan is not prepared, the test would not add any significant value to the business of any organization. Thus for giving a complete value for money, a successful penetration test would be that which would help an organization to understand the business risks arising from the vulnerabilities, and would provide a proper risk mitigation plan that fits the organizations business policy. Agreed that a penetration test would involve a lot of risks like bringing a production system down, etc., but a properly planned penetration test would definitely add value in an organizations security framework. It should be understood that a penetration test with proper systematic approach, if included as an ongoing process in an organizations risk assessment plan, will lead to a better understanding of the current security posture of the organization and will help the organization in mitigating the risks at the proper time. It should be noted that unlike the hype, a penetration test is not just a mere hacking exercise. It is a very essential part of the complete Risk Assessment Strategy of the organization. If used effectively, penetration test is a great tool by which any organization can measure the current security level of its network and systems. It is a good idea to have a penetration test done at regular intervals; after all you wouldn’t skip your health checkup, would you?
Page 1 of 10
© Manish S. Saindane
Penetration testing – A Systematic Approach
WHAT IS PENETRATION TESTING: “Penetration testing can be defined as a security‐oriented probing of a computer system or network to seek out vulnerabilities that an attacker could exploit” 1. The purpose of this exercise is to identify methods of gaining access to a system by using common tools and techniques used by attackers. This process involves a thorough active analysis of all the security related features of the systems in question, followed by an attempt to break into the system by breaching these security features.
TYPES OF PENETRATION TEST: There are primarily two types of penetration tests, viz.: • Black‐Box Test
• White‐Box Test The type of penetration test usually depends upon what an organization wants to test, whether the scope is to simulate an attack by an insider (usually an employee, network/system administrator, etc.) or an external source. The difference between the two is the amount of information provided to the penetration tester about the systems to be tested. In a black‐box penetration test, the scenario is closely simulated