Why in Penetration Testing required?

Author: Michael Wade

Penetration Testing or Pentesting is a legal software attack on a software system which is carried out in order to uncover potential security weaknesses eventually gaining access to the data and features. Penetration testing can be described, executed and marketed in a lot many ways. It is often confused as a vulnerability scan, security assessment or a compliance audit. However, penetration testing stands apart from all in the following ways:

  • A penetration test is not over after detecting vulnerabilities. It proceeds forward to the next step to exploit the vulnerability to establish the attack vectors against the company’s data and assets.
  • The focus of penetration testing is on the team or individual testers and the experience they bring into practice. This is because even the most sophisticated technologies are vulnerable to the free thinking human mind which can analyze and synthesize, is capable of thinking more laterally and is driven by an unfading motive and determination.
  • A penetration testing is designed to evaluate effectiveness of the implemented security controls against a skilled human attacker. An organization with a 100% compliance may still be vulnerable against a human threat in the real world.
  • A penetration testing explores multiple attack vectors against the same target. Most of the successful compromises are generally the combination of vulnerabilities and information across different systems.

There are many reasons for conducting penetration testing. The nature and scope of penetration testing is mainly dependant on the driving force of the organization, which in turn determines the goals of testing. This driving force also influences the other factors such as scope, target selection, assumptions as well as the budget amount allocated for the test.

Considerations for the Penetration Testing

  • Scope: For the purpose of testing it is very important what is to be scoped in and what should be scoped out of the target environment. Before test initiation, IP address ranges, external URLs and application should be clearly defined. Additional scope considerations include the acceptable level of social engineering interactions, physical access of tangible resources, etc. In order to focus efforts on high value assets, the defined scope should always be prioritized. Limiting the scope increases the effort of testing in the most important areas of the organization. It is important to maintain a balance in scope definition. If it is too broad, efforts may go stray and if it is too narrow, the testers may not get enough flexibility to explore all possible paths of exploitation.
  • The testing approach: The testing approach can be white box or black box. There are pros and cons of both these testing approaches. In case of the white box testing, less time and money is required for the identification of the tests and more can be invested in the actual exploitation process. However, it runs a potential risk of underestimating inside attackers and leaves them one step closer to the internal environment. On the other hand, the black box approach provides a better real life perspective of the system from the attacker’s point of view. It forces the hacker to spend time and effort in obtaining internal unauthorized information. This provides a good intel for the organization about potential breaches and enables them to take protective steps.
  • Objectives: Establishing the goals and objectives of the test is very important along with the scope. It helps to produce a report addressing the goals. Any objective of priority should be explicitly addressed in the goals. However, it should be taken into account that not all goals can be achieved despite repeated attempts. This is a positive outcome as this ensures that the security stands tall.

Conclusion

At the end, all that matters is the real-world security. The effectiveness of penetration testing mainly depends on the people trusted with the task. Hence, after a security incident or a security testing, it is necessary for the company to determine the vectors which helped to gain access to the compromised system.