Pentesting 101
According to Wikipedia, penetration testing (pentesting) is:
an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system. The test is performed to identify both weaknesses (also referred to as vulnerabilities), including the potential for unauthorized partied to gain access to the system’s features and data, as well as strengths, enabling a full risk assessment to be completed.
Pentesting has levels
In the world of penetration testing, there are three different classes of assessment, all based on the amount of information given to the pentesting team.
- Black Box - in a black box pentest, the red team is given no information about the company/system that they are testing. This type of assessment takes the longest amount of time, is the most expensive, and most accurately simulates an outside threat.
- White/Clear Box - in a white box pentest, the red team is given lots of information about the company/system. This type of assessment is the cheapest, usually takes the least amount of time, and closely simulates an insider threat.
- Gray Box - somewhere between black and white box tests.
Pentest vs Vulnerability Assessment
The main difference between a pentest and vulnerability assessment is if the tester uses the vectors found in the vulnerability assessment to simulate an attack on the system. Vulnerability assessments’ goal is to enumerate a company/system’s vulnerabilities, whereas a pentest is to enumerate the vulnerabilities and to see how deep the wound could get.
Are there steps to follow?
In penetration testing there are a few standards or frameworks that can be followed to ensure that the red team is effectively executing within their given time frame. One popular standard is the Penetration Testing Execution Standard (PTES) and it breaks down a penetration test into six steps, which a red team can follow to ensure that they are effectively managing their time on an assessment. Those steps are:
- Tools Required
- Intelligence Gathering
- Vulnerability Analysis
- Exploitation
- Post Exploitation (Pivot, Persistence, etc.)
- Reporting