A network penetration test or “pen test” is a security assessment performed by ethical hackers (also known as Red teamers or penetration testers). The purpose is to identify weaknesses and vulnerabilities within a network. But why are they so critical for maintaining digital security?
A recent UK government report found that 39% of businesses have reported some type of cyber security breach. However, the report also highlights the actual figure could be even higher, stating:
“… we also find that enhanced cyber security leads to higher identification of attacks, suggesting that less cyber mature organisations in this space may be underreporting.”
This could be attributed to the fact that data breaches can cause severe reputational damage to businesses. As such companies are often reluctant to report them. By enhancing cyber security testing, companies can identify vulnerabilities and secure them before attackers have the chance to strike, demonstrating the importance of penetration testing.
How is a network penetration test performed?
A penetration test typically follows a five-stage process:
- Planning & Reconnaissance: This will typically be where the test goals are defined such as the type of penetration test and the scope of the penetration test followed by reconnaissance, often reconnaissance is in the form of OSINT (Open Source Intelligence).
- Scanning & Enumeration: The second step will see the attacker perform various scans, this can help the penetration tester draw a map of their target and is also a chance for the business to test detection.
- Gaining Access: Various attacks are performed against the network with the intention of gaining access, an attack can be performed against web apps, IoT, servers etc.
- Maintaining access: The penetration tester will attempt to maintain their access within the network this can be achieved with tools, scripts, scheduled tasks and more.
- Clean up & Reporting: The penetration tester will clean up any tools or scripts used locally on the network followed by providing the business with a report with vulnerabilities found often including remediations to the vulnerabilities.
What systems can a penetration test analyse?
A penetration test isn’t limited to networks and can be performed on multiple systems and platforms including:
Web & Mobile: Testers examine the effectiveness of security controls and code whilst searching for hidden vulnerabilities leading to a compromise.
Cloud: Whilst we see many businesses moving to a cloud-based infrastructure it is important to note that cloud-based penetration tests can be performed on the likes of databases, servers, storage etc.
Containers: Docker containers often have vulnerabilities that can be exploited.
IoT: Internet of Things devices such as mobile phones, tablets, and wireless access points amongst others can be tested.
Types of network penetration tests
There are three main different types of network penetration tests. These include Black-box testing, Grey-box testing & White-box testing. The three different types of tests are determined by the level of knowledge the pen tester is given before the start of the assignment.
A Black-box test is typically performed without any knowledge of the internal system.
A black-box penetration test is the most realistic testing scenario. The tester is put in the shoes of a real-world adversary who has no prior knowledge of the network or tools/software used. This helps to inform a business of real-world risks.
A black-box test does not offer a comprehensive review of your internal systems and any custom code. Whilst a black-box test highlights issues that indicate a pathway into the network, it isn’t comprehensive and the target may still have internal issues. A black-box penetration test is also based on trial and error which can create a more time-consuming process.
During a White-box test, the penetration tester is typically provided with full knowledge of the system such as documentation and architecture designs.
Giving the penetration tester information on the network and systems allows the tester more time to conduct a thorough test. This method also gives the tester time to asses vulnerabilities a black box can’t assess, such as the quality of code.
Depending on the scope of the White-box test it may be greater in cost; this is due to the wider skill set the tester needs, dependent on time constraints it can be impossible to look into every corner.
A Grey-box assessment typically lies between white-box & black-box testing. The tester is only given partial knowledge of the system they are testing. They have less insight into a system’s code base than white-box testers but more than black-box testers.
By providing a tester with limited knowledge, they can focus on testing common security vulnerabilities. This reduces the requirement for code review that a white-box tester may face and focuses on likely/real-life scenarios.
Benefits of a network penetration test
The primary goal of a penetration test is to test the resilience of a system, thus creating awareness of risks and exposure within the network. A penetration test provides other benefits such as; revealing vulnerabilities, maturing your environment, preventing breaches, and testing your defensive capabilities. All of these empower businesses to reduce the risk of a cyber incident.
Whilst there aren’t any current GDPR laws requiring a penetration test, it does require organisations to implement ‘A process for regularly evaluating the effectiveness for ensuring the security of data processing’ in certain industries. This includes PCI DSS (Payment Card Industry Data Security Standard) which is a minimum set of requirements designed to help a business protect cardholder details. Requirement 11 of PCI DSS 3.2 requires regular penetration testing which could potentially indicate penetration testing becoming a requirement for compliance in the future.
How can Aspire help
At Aspire, not only do we offer a range of managed cyber security services to combat all types of online threats. We also offer industry leading penetration testing.