Everything You Need to Know About Conducting a Penetration Test

Cybersecurity Services - Cybersecurity Guides

Has your business conducted a Penetration Test this year? Most Cybersecurity frameworks and regulatory standards require a test be conducted at least once per year. Historically, businesses only focused on conducting an external test to confirm that the firewall and any other externally facing devices or services are securely configured, but given the increase and advancement of security threats, an internal test must be conducted within the organization as well.

Every Cyber Insurance questionnaire (DDQ) that we have seen asks if annual internal and external tests are being conducted. If they're not, the business faces a sharp increase in their insurance premiums.

Penetration Testing Guidelines

Let's take a step back and first cover what a Penetration is and why it's important.

The goal of Penetration Testing is to validate the effectiveness and resiliency of an organization's network and its assets by using white-hat or ethical hacker techniques to identify and exploit weaknesses of security controls (including people, processes, and technology), and simulating the common objectives and actions of a potential attacker.

There are several benefits to conducting penetration tests, including:

1. Identifying vulnerabilities - Pen tests can identify vulnerabilities in a system that may not have been detected by other security measures, such as antivirus software or firewalls. This can help organizations prioritize their efforts to secure their systems and prevent attacks.

2. Evaluating the effectiveness of security measures - Pen tests can help organizations determine the effectiveness of their security measures. By simulating an attack and measuring the system's response, organizations can identify areas where their security measures are weak and need to be strengthened.

3. Improving incident response capabilities - Pen tests can help organizations identify and address weaknesses in their incident response plans. By simulating an attack and testing the organization's response, organizations can identify areas for improvement and make necessary changes to their incident response processes.

4. Demonstrating compliance - Some industries have regulatory requirements for conducting regular security assessments, including penetration tests. By conducting regular pen tests, organizations can demonstrate compliance with these requirements and protect themselves from regulatory fines and other penalties.

5. Providing assurance to stakeholders - Conducting penetration tests can help organizations build confidence and trust with stakeholders, such as customers, investors, and regulators. By demonstrating that they are proactively addressing security risks and vulnerabilities, organizations can build confidence and trust with their stakeholders.

There are several steps involved in conducting a penetration test. These steps include:

1. Planning - Planning is an important step in the pen testing process. During the planning phase, the tester will define the scope of the test, identify the resources that will be used, and establish the goals and objectives of the test.

2. Reconnaissance - During the reconnaissance phase, the tester will gather as much information as possible about the system or network being tested. This may include gathering publicly available information, such as company information, network diagrams, and system configurations.

3. Scanning - During the scanning phase, the tester will use automated tools and manual techniques to identify vulnerabilities in the system or network. These tools and techniques may include port scanners, vulnerability scanners, and other specialized software.

4. Exploitation - During the exploitation phase, the tester will attempt to exploit any vulnerabilities that have been identified. This may include attempting to gain unauthorized access to the system or network, or to escalate privileges within the system.

5. Reporting - After the exploitation phase, the tester will prepare a report detailing the findings of the test. This report should include a detailed analysis of the vulnerabilities that were identified, as well as recommendations for addressing those vulnerabilities.

There are three main types of Penetration Tests.

1. Black Box Testing - Simulates an attempted hack that comes from outside of the organization. The test begins with the pen tester receiving NO information about the organization’s networks or systems.

2. Gray Box Testing - Focuses on high-value areas of a network. This often simulate a situation where an attacker has penetrated an organization’s perimeter and has SOME level of access to their internal network.

3. White Box Testing - Replicates a hacking attempt that comes from inside the organization. Pen testers simulate a malicious insider that has MOST or ALL knowledge of how the organization’s systems are set up.

Penetration Tests can be comprised of one or more of the above types of tests. In many cases they will start as a Black Box Test and progress to a Gray and/or White Box Test.

There are many important considerations when planning to conduct a Penetration Test of your network. Here is a list of key information businesses should be aware of when planning:

1. Penetration Tests must be conducted by a specialized third party service provider. Penetration Test require highly skilled individuals that are up on all the latest hacking tools, techniques and exploits. They cannot be conducted by internal company employees, even if they have the knowledge or qualifications, to avoid conflicts of interest.

2. Penetration Tests can be comprised of several different types of tests including external network tests, internal network tests, application tests, wireless tests, physical security tests, and social engineering tests.

3. Vulnerability scanning is different from Penetration Testing and each should be conducted separately following different specific processes, procedures, and policies.

4. It is common for Penetration Tests to include a one-time vulnerability scan as part of the investigative effort to discovery known vulnerabilities. Again, separate vulnerability scanning should be conducted as part of an ongoing vulnerability management process.

5. Security assessments are separate from Penetration Tests, but in some cases can be combined with or included as part of a Penetration Test or by the same service provider. Security Assessments generally review setup and configuration of a system, device, or application against standard best practices. Penetration Testing takes this further by actively trying to exploit or compromise the existing configuration and determine what the potential threats and risks are.

6. It is of utmost importance that there is a formal contractual agreement in place between the Penetration Tester and the organization covering the services to be provided and systems to be included in the test. This gives formal legal consent for the Pen Tester to safely conduct ethical hacking activities. The goal is to avoid any and all disruptions or damage to the systems being tested, but it is important that critical data is backed up prior and any more invasive tests are conducted against business critical systems outside of normal business hours.

7. Although everyone focuses on the testing itself, it is just as important, if not more important, to focus on the review of the results and the remediation plan.

8. Account for some amount of remediation cost in your budget for Penetration Testing initiatives. There will almost always be something to remediate which will incur some costs, whether it be hardware, licensing and/or engineering resource costs.

9. Before the Penetration Test project is closed, at a minimum, Critical findings should be remediated and retested for verification.

10. Ensure you find a suitable, experienced Penetration Testing provider. Request proof of certifications, referrals from existing customers, documentation of testing procedures and sample reports.

11. Ensure remediation recommendations that will be provided are detailed, thorough, and clear so remediation can be conducted in an effective and efficient manner.

The following graphic shows all of the typical phases of a Penetration Test from start to finish.

There are several best practices that Penetration Testing service providers should follow when conducting a penetration test to ensure that the test is safe, effective, and the results are meaningful to the customer. These best practices include:

1. Obtain permission - Before conducting a pen test, it's important for organizations to obtain permission from the owners of the systems and networks being tested. This includes obtaining any necessary legal clearance, as well as obtaining written consent from the system or network owners.

2. Define the scope - It's important for organizations to clearly define the scope of the penetration test, including which systems and networks will be tested and what types of attacks will be simulated. This will help ensure that the test is focused and that the results are meaningful.

3. Use a testing agreement - A testing agreement is a document that outlines the terms and conditions of the penetration test, including the scope of the test, the roles and responsibilities of the tester and the organization, and any legal or ethical considerations. Using a testing agreement can help ensure that all parties are clear on the expectations and boundaries of the test.

4. Follow a testing methodology - As mentioned earlier, there are several different testing methodologies that organizations can use when conducting a penetration test. It's important for organizations to choose a methodology that is appropriate for their needs and that aligns with their overall security goals.

5. Document findings - It's important for organizations to carefully document the findings of their penetration test, including any vulnerabilities that were identified and any recommendations for addressing those vulnerabilities. This documentation should be shared with relevant stakeholders, including system and network owners, IT staff, and management.

There are several tools and techniques that are commonly used in penetration testing. Some of the most common tools and techniques include:

1. Port scanners - Port scanners are tools that are used to identify open ports on a system or network. By scanning a system or network and identifying open ports, penetration testers can determine which services are running and identify potential vulnerabilities.

2. Vulnerability scanners - Vulnerability scanners are tools that are used to identify vulnerabilities in a system or network. These scanners use a database of known vulnerabilities and can scan a system or network to identify any vulnerabilities that match the database entries.

3. Password cracking tools - Password cracking tools are used to recover lost or forgotten passwords. These tools can be used to test the strength of passwords and to identify weak passwords that may be easy for attackers to guess.

4. Social engineering - Social engineering is a type of attack that relies on human interaction to gain access to systems or networks. This can include tactics such as phishing, pretexting, and baiting.

5. Man-in-the-middle attacks - A man-in-the-middle (MITM) attack is a type of attack in which the attacker intercepts communications between two parties and alters or manipulates the communications. MITM attacks can be used to gain access to systems or to steal sensitive information.

6. Malware - Malware is software that is designed to disrupt, damage, or gain unauthorized access to a computer system. Penetration testers may use simulated and contained malware as part of their testing efforts to simulate real-world attacks and identify vulnerabilities.

These are just some examples of the tools and techniques that are commonly used in penetration testing. There are many other tools and techniques that are available, and the specific tools and techniques that are used will depend on the goals and objectives of the test.

When selecting a Penetration Testing vendor, it is important that you choose someone qualified and reputable. There are several ways to determine this:

1. Look for industry certifications - Many vendors that offer penetration testing services have certifications that demonstrate their expertise in the field. Some common certifications for penetration testers include the Certified Ethical Hacker (CEH), Offensive Security Certified Professional (OSCP), and GIAC Penetration Tester (GPEN).

2. Check for references: It's a good idea to ask the vendor for references from past clients. These references can provide valuable insights into the vendor's experience and expertise. Request references of clients with similarly sized environments, similar technology and/or in the same industry.

3. Review their experience - Look for vendors that have a proven track record of conducting successful penetration tests. This may include reviewing case studies or examples of their work.

4. Consider their approach - It's important to choose a vendor that takes a thorough and methodical approach to penetration testing. This includes following a defined testing methodology, carefully documenting their findings, and providing clear recommendations for addressing vulnerabilities.

5. Consider their reputation - It's a good idea to do some research and see what others have to say about the vendor. Look for reviews and testimonials from past clients to get a sense of their reputation in the industry.

Be sure to take current Cybersecurity Frameworks into consideration when planning a Penetration Test to ensure you are meeting industry best practices. The CIS Controls Framework covers Penetration Testing within Control 18. This control includes the following individual safeguards that should be addressed:

• 18.1 - Establish and Maintain a Penetration Testing Program

• 18.2 - Perform Periodic External Penetration Tests (at least once per year)

• 18.3 - Remediate Penetration Test Findings

• 18.4 - Validate Security Measures

• 18.5 - Perform Periodic Internal Penetration Tests (at least once per year)

In addition to the annual requirement of an internal and external Penetration Test, it is also required that businesses conduct an ad-hoc test whenever there is a significant change to the environment. For instance, if there is an implementation of any new network infrastructure, or a migration to a new critical application, a Penetration Test should be conducted to test the new systems, as well as anything else in the environment that may have been affected by the change. So If a new server is deployed to host a new application and new firewall rules were put in place for network access, then the server, the application and the firewall should all be tested, at a minimum. The entire environment does not necessarily need to be tested again.

For additional information, read our related articles:

Penetration Testing vs Vulnerability Scanning:

https://www.cyberoutlook.org/post/pen-testing-vs-vulnerability-scanning-do-you-need-both

See our list of references below.

Review these sources for more information

1. CIS Controls Version 8 - Control 18, Penetration Testing (2021) https://www.cisecurity.org/controls

2. NIST Penetration Testing https://csrc.nist.gov/glossary/term/penetration_testing

3. EC-Council - Penetration Testing (very thorough article covering all aspects of Pen Testing) https://www.eccouncil.org/what-is-penetration-testing/

4. Fortinet - Penetration Testing https://www.fortinet.com/resources/cyberglossary/penetration-testing

5. What Are The Types Of Penetration Testing? (high-level overview) https://www.youtube.com/watch?v=ca-6xCLmND8

6. Penetration testing demo and walkthrough | Infosec Edge Webcast (technical) https://www.youtube.com/watch?v=SmVPTTfYvS0

7. Complete guide to penetration testing best practices https://www.techtarget.com/searchsoftwarequality/tip/Everything-you-need-to-know-about-software-penetration-testing

8. NIST SP 800-12 Rev. 1 (Penetrating Testing) https://doi.org/10.6028/NIST.SP.800-12r1

9. NIST SP 800-53 Rev. 5 (Penetration Testing) https://doi.org/10.6028/NIST.SP.800-53r5