In our last post, we discussed how regular network assessments can help organizations identify any gaps in their security posture in order to make the necessary modifications to close those gaps. A penetration test, or pen test, is perhaps the most critical element of a comprehensive testing process.
Pen testing is an ethical hacking exercise in which authorized security professionals launch simulated attacks on your network in order to assess technical, operational and physical security measures. Essentially, these tests let you know what would-be attackers could see and exploit if they were to scan your network.
In addition to helping you uncover hard-to-find vulnerabilities such as configuration flaws, protocol vulnerabilities and coding errors, pen tests are increasingly required for compliance with industry and government regulations. For example, requirement 11.3 of the Payment Card Industry Data Security Standard (PCI DSS) states that comprehensive pen testing should be performed at least annually and any time there is a “significant infrastructure or application upgrade or modification.”
Although PCI DSS only requires annual testing, that really isn’t enough. A single test may help you identify some vulnerabilities, but there’s no way to know if your remediation efforts are effective unless you conduct a follow-up test. Retesting against the baseline helps ensure you are on the right track.
How it Works
There are several industry-accepted methodologies for pen tests, including those developed by the Open Web Application Security Project (OWASP) and the National Institute of Standards and Technology (NIST). Generally, most of these frameworks follow similar steps:
- Establishing the rules of engagement. There is typically an upfront agreement about how much information testers will be given. In “black box” testing, the tester has no advance knowledge, making it most similar to an actual attack. In “white box” tests, testers have complete access to applications, systems and source code in order to provide a more comprehensive assessment.
- Reconnaissance and information gathering. In this phase, the tester will use social engineering, Internet research and other techniques to gather as much information about the target as possible.
- Port scanning and vulnerability assessments. Typically, testers will scan ports for possible attack vectors, perform traffic analysis, evaluate encryption and patching processes, and probe firewalls and other perimeter defenses.
- Exploitation and continued discovery. Testers will use a variety of exploits such as cross-site scripting and SQL injection to exploit vulnerabilities and steal data, intercept traffic and more. They will also try to move laterally through the network to see how far they can go.
- Clean up. Once the test is complete, testers remove any executables, scripts or user accounts they may have used and restore configurations to their original settings.
- Final analysis and review. Testers provide a written report detailing their findings and recommended remediations.
The Verteks Advantage
Although it can be tempting to run these tests on your own, it’s not advisable. If done incorrectly, pen testing can create network performance issues and business disruptions. Because testers are actively trying to compromise your network, they could accidently leave openings for criminal hackers.
Working with professional ethical hackers is a much safer approach, and it is likely to produce deeper insights and more actionable recommendations. Professional testers are far more likely to have expertise and certifications in a wide range of networking technologies, including system security, wireless security and application testing. In additional, they will be working from an established methodology.
Verteks has the tools, experience and methodology to conduct penetration tests safely and effectively. We tailor our methods to meet customer needs and reduce the operational impact of the testing process. Contact us to learn more about using regular penetration tests to ensure the security and stability of your critical systems.