Pentesting (or intrustion testing) is an essential practice in security audits. It allows to analyse security systems, in order to find vulnerabilities and use them to carefully evaluate risk and elaborate appropriate responses.
This article is a short overview of pentesting and its methodology
Definition
Pentesting (or intrusion testing) is a method which consists in simulating a pirate or hacker attack, and by analysing the results of said attack to expose any weaknesses in the system. This is done by targeting:
- IPs,
- applications,
- servers,
- local networks
Why do we need pentests?
To :
- Identify any vulnerabilities in applications or information systems
- Evaluate the risk potential of every weakness
- Propose concrete and timely response measures
Thanks to pentesting, it is possible to gain insight on: the severity of the vulnerability, the complexity of a possible response and the order of prioritisation of said responses
Pentesting is not supposed to be with malicious intent: its goal is to identify concrete vulnerabilities and fix them.
The types of Pentest
We can divide pentesting into three main categories :
White Box
White box testers use all of the data that is available about the Information systems. They look for weaknesses through different techniques such as monitoring open portals, applications versions etc.
Grey Box
In grey box testing, the auditor has only partial access to information about the Security system they are testing. Normally, they are given a user login, so they can replicate the activity from a « normal user »’s point of view.
Black Box
A black box test perfectly replicates an intrusion situation, where the attacker has minimum knowledge of the information systems, and where the attack takes places outside both the system and the premises.
This type of test uses the following to identify the right target:
- Collecting public information such as info on web pages, employee’s data or information about any company that the target may trust/have a partnership with
- Identifying presence points on the internet
- Passive spying on the network
When is a pentest appropriate?
Intrusion testing can be a valuable resource in any one of the situations :
- In the creation phase of a project, in order to predict or anticipate any possible attacks
- During normal activity, at regular intervals
- Following a cyberattack, so it never happens again
What are the objectives of a pentester?
A pentester has multiple goals, and they depend on their mission or context:
- To list and collect any information discovered during their activity that may be sensitive or critical
- To create a list of weaknesses or vulnerabilities in the security system that may be exploited for malevolent purposes
- To concretely demonstrate that a potential attacker can use the systems’ weaknesses to breach them, and to prove how any external threat could find a way to spy on and sabotage an entire information system
- To test the efficiency of intrusion detection systems, as well as the response team’s (and sometimes users’ responses too, this is called social engineering) reactivity.
- To present a report of their findings and activities to clients
- To guide and advise on the best response and correction solutions to the identified weaknesses.
From security audits to pentesting
A security audit is a much bigger task than an intrusion test. During a security audit, the entirety of the organisational security of a company is analysed and checked: their data loss prevention measures, compliance to regulations such as PCI and DSS as well as an audit of the configurations and codes in place for an accurate risk analysis (EBIOS, MEHARI, MARION).
A security audit is run in different phases, one of which is pentest.
A security audit allows to concretely evaluate the level of security of a system or application in relation to a reference. This reference is normally the information security regulations of the company, as well as any legislations on the subject, as well as any good practices in place.
An intrusion test, on the other hand, evaluates the security of a system not in reference to any legislation or regulation, but in a concrete threat situation at a given moment.
Follow us on LinkedIn
