Cyber-attacks can be costly for businesses that are affected. Botnets are inexpensive, hacking software is easily accessible, and people with no technical or practical knowledge in this area can even buy computer attacks as a service.
Attacks can cripple a company’s systems, lead to significant fines and damage to the company’s reputation, all at a very low investment cost. No company is immune.
This is where the pen-test comes in. It is essentially a form of controlled attack during which a professional pen-tester who works for a company, uses the techniques of a criminal hacker to look for network vulnerabilities and business applications.
Penetration testing is widely recognized as an important part of cyber-security (for example, it is required in a number of regulatory and compliance standards), but like any security mechanism, it does is not perfect.
What is penetration testing?
The penetration testing is part of the security audit and consists of putting yourself in the shoes of an attacker wishing to break into the information system to carry out mischief. As its name suggests, the intrusion test is intended to break into the network or into a specific part of the network. The objective of the pen-tester is then multiple and can vary according to the contexts:
- List a set of information, found in one way or another, that may be sensitive or critical.
- List vulnerabilities or weaknesses in the security system that can be exploited.
- Demonstrate that a potential attacker is able to find vulnerabilities and exploit them to break into the information system. Beyond vulnerabilities without any relationship between them, a real step aims to raise the presence of a plan of action leading from the position of an external attacker to the takeover of the IS or the possibility of carrying out actions.
- Test the effectiveness of penetration detection systems and the responsiveness of the security team, and sometimes users (social engineering)
- Conduct a reporting and a final presentation of his progress and his discoveries to the client
- Provide leads and advise on the methods of resolution and correction of vulnerabilities discovered.
- The penetration testing focuses mainly, but not exclusively, on the technical part of information system security (in a broad sense, technological, physical and human understanding) and less on the organizational/functional side.
Two types of penetration testing
Overall, there are two types of context for the execution of a pen-test: Pentest in Black box mode and Pentest in White Box mode, and also some “modes” derived:
- The Pen-test in Black Box Mode: In the Black Box context, the pen-tester really puts itself in the shoes of an external attacker and starts his penetration testing with as little information as possible on the target (the target then being the company having requested a pen-test). Indeed, when a seated begins its attack, it does not have (or rarely) the complete map of the information, the list of servers with their IP, etc. The Black Box context aims to find and demonstrate the presence of an actionable plan by an external person to take control of the information system or get hold of certain information. Beginning with very little information, the pen-tester must look from the outside for how to get into the target system, so it adopts the methodology and behaviour that a real hacker would have.
- The pen-test in White Box mode: Here is exactly the opposite. The Pen-tester works in close collaboration with the CIO (Chief Information Officer), the CISO (Chief Information Security Officer) and the technical team of the information system. The goal is to obtain 100% information on the information system and support the CIO in vulnerability detection. One of the advantages of the White Box mode is that it is then possible to detect security flaws in a wider manner and that the Black Box mode would not have made it possible to detect, for example if the pen-tester had not reached a certain stage of the penetration. In addition, the White Box mode fits more easily into the life cycle of the security system, sometimes at each stage of its evolution.
Below are the most important pros and cons of penetration testing:
Pro 1 – They identify vulnerabilities.
Businesses are vulnerable to many threats, and each threat exploits hundreds of different vulnerabilities. Such weaknesses expose the company to potentially disastrous attacks such as SQL injection and things as benign as an error page can provide attackers with enough information to exploit vulnerabilities that are less obvious or more harmful.
Pro 2 – They identify important weaknesses that result from a set of small vulnerabilities.
Taken separately, small vulnerabilities may seem insignificant, but hackers often look for these weaknesses to create a series of intrusions that require only small efforts to make these security gaps larger in size. These gaps are often overlooked by companies or automated security systems, but pen-testers replicating hacker methods will be able to identify entry points.
Pro 3 – Reports offer specific advice
The final stages of the penetration testing are used to report the vulnerabilities. Unlike automatic reports generated by tools that provide generic solutions, penetration testing classifies and rates vulnerabilities according to a scale of risks and according to the company’s budget.
Con 1 – If the tests are not done properly they can create a lot of damage
Tests that are not conducted properly can cause servers to shut down, expose sensitive data, corrupt the creation of critical data, or cause a set of unwanted effects associated with reproductions of criminal hacks.
Con 2 – You have to trust the pen-tester
Penetration testing means that you invite someone to hack your systems, so you have to rely on the pen-test to avoid abusing your skills and knowledge. If you do not hire a trustworthy person to do this job, these security tests could work against you.
Con 3 – If you do not create realistic test conditions, the results will be misleading
It is likely that employees are preparing for the test if they know it is going to happen, which may make the company appear stronger than it really is. A real attack happens without warning and in a creative way and difficult to plan.