Penetration testing also referred to as pentest, it is a structured methodology used by individuals and organizations to evaluate the security for a computer system or network by simulating attacks from an internal or external threat agent.
A penetration test is the best method of identifying security loopholes (vulnerabilities) which could lead to breach of the confidentiality, integrity and availability of information assets of the organization.
Penetration tests are performed by trusted individuals who simulate the working of malicious users or intruders (hackers) simulating various attacks based on the information they gather during the testing period.
The results of the attacks and tests performed are documented in a formal report which is provided to the owner of the network or computer system. The report may also provide recommendations and mitigation for the identified vulnerabilities or loopholes.
A penetration test would typically include:
This phase starts of by identifying the need to identify security concerns in the business critical areas in the organization.
• Information Gathering:
After the planning and scoping of the penetration test the next step is to gather as much as information possible about the target systems and networks. The activities performed in this phase may include: Network discovery — Discovering and gathering information about the target network and systems available on a particular network.
Network scanning — Using automated tools to perform external or internal scanning of a network to gather information such as open ports on the target systems, server banners, operating system in use, etc.
• Vulnerability Identification:
After gathering all relevant information about the target systems in the first stage, the next phase in which the penetration tester determines the vulnerabilities and loopholes that exist in these systems. A well done analysis will be performed on the information gathered to see if there are any existing vulnerabilities. This is called manual vulnerability identification or scanning.
Exploitation phase would typically aim in compromising of information by breaching security controls and gaining access to system. After gaining access to the system elevation of privileges to gain maximum privileges. Exploitation phase would also include password cracking to penetrate into system.
• Analysis and Reporting:
After the completion of all the stages mentioned above the next stage is to create a report or reports that would be presented to the management and/or the other technical staff. The penetration testing reports are highly confidential in nature and therefore it is distributed to the intended recipients only.