This is the last article in a three part series on vulnerability scanning vs penetration testing. In the first article we discussed the differences between vulnerability scanning and penetration testing and in the second article we went over the three main methodologies used when performing a penetration test. With this final article we would like to give an overview of the five main types of penetration testing and demonstrate how they are performed by using the methodologies mentioned in the previous article. The goal here is to give you an idea of how the methodologies and types of penetration testing are utilized so that you can choose the right type and methodology of penetration test that best suits your organization’s security needs.
1. Application Penetration Test
The application penetration test is a test designed to identify and demonstrate the exploitability in any given application, defined by the scope of the test. If, for example, you want an application penetration test on a web application used by your company then the penetration tester would limit the test to the web application itself and not attack the web server or other services running on the machine where the web application is hosted. The purpose here is to test the security of the web application itself and look for design flaws in the web application which could allow an attacker access to sensitive information. This can be accomplished by attacking it as an external attacker might, with no knowledge of the source code, which is an example of the black box methodology applied to an application penetration test with a scope of the web application. Or it could be accomplished by giving the penetration tester full access to the source code as well as a running instance of the application itself, an example of white box methodology applied to a web application penetration test.
Application penetration testing is not only limited to web applications however, it can be applied to any application that an organization has developed. Mobile applications, desktop applications, and anything in between can all be tested for vulnerabilities via various techniques specific to the application type being tested. Typically, web application testing is included with a network penetration test (more on that later), whereas desktop or server applications are often performed as standalone penetration tests that do not require an organization to spend the money and time on a lengthier full network penetration test.
2. Network Penetration Test
A network penetration test is the next type of penetration test, and the one that most people think of when they discuss penetration tests. In a network penetration test the penetration tester will attempt to gain access to sensitive information by testing the full range of an organizations network. This usually involves techniques such as port scanning and open source intelligence gathering to gain information on the target network followed by vulnerability scanning to gain information about possibly vulnerable services being run by the target. Once access to the targets network has been achieved the penetration tester will then use the access they have gained to further penetrate the target organizations network as much as possible within the scope and the time constraints given by the engagement. While it is called a network penetration test, these tests usually include web application’s and any running services or programs that the penetration tester can gain access to. However, network penetration tests will usually not include other attack techniques such as social engineering or physical penetration testing.
3. Social Engineering Penetration Test
The third major type of penetration test is the Social Engineering penetration test. Social Engineering is a type of attack that malicious actors use to leverage human nature in a variety of techniques against the target. The goal of this test is to try and utilize social engineering techniques to gain access to the target organization. Depending on the scope of the engagement, such as whether it includes physical locations, different types of Social Engineering techniques will be selected for use in the penetration test. The most common type of Social Engineering penetration test is Phishing, in which the penetration tester sends email’s to users in the organization under different pretexts to attempt to get the users to either download malicious files or give their credentials to the attacker. This may be performed either by itself or in combination with other penetration test types, such as a Network Penetration test.
Other Social Engineering techniques will often be used in combination with a Physical Penetration test to gain access to the offices of an organization. These include things such as tailgating, following an employee inside without having a badge, or pretending to be a service employee there to perform maintenance of some sort with the intention of gaining access to the building that the penetration tester shouldn’t have.
4. Wireless Penetration Test
Wireless penetration testing is when the penetration tester attempts to gain access to sensitive information via the organization’s wireless network. In this sort of test, the penetration tester will need to be on site in order to properly perform this test. In a black box wireless penetration test the tester will first have to gain access to the wireless network, which is a good way to test the security of the wireless network against attacks such as wireless password cracking. Once access has been gained, the penetration tester can then test for vulnerability to other attacks such as Man in The Middle (MiTM) attacks and sniffing for unsecured sensitive communications. Alternatively, a white box wireless penetration test would be when the penetration tester would be granted access to the wireless network so that they can test for the MiTM and unsecured communication’s without first having to spend the time trying to break into the wireless network resulting in a shorter amount of time needed to complete the penetration test.
5. Physical Penetration Test
Physical penetration testing is often the most underutilized, and most sorely needed, of all penetration test types. It doesn’t matter how good your firewall is if an attacker can easily walk into your building and plug in a USB drive. Once an attacker has physical access to an organization’s environment, it is usually quite trivial to gain access to confidential and proprietary information. When a penetration tester is performing a Physical Penetration test, they will use a variety of Social Engineering techniques, such as tailgating, to gain access to a facility. The purpose of this sort of test is to test how easy it is to bypass physical defenses, up to and including personnel at the location, in order to gain access to the organization’s network. This type of penetration test is often one of the most costly as the penetration tester must be on location in order to perform it. However, it is also one of the most important to perform as physical access is usually the biggest vulnerability any organization will have.
What Is Right for Your Organization?
As seen above there are quite a few different types of penetration tests that can be performed, often with at least some level of overlap. When deciding which type of penetration test is right for your company it is important to consider what the goal of the penetration test is. Do you want to test for vulnerability to internet based attackers? Do you want to know the effectiveness of a phishing attack against your organization? Or are you most worried about people gaining access to your office in an illicit manner in order to access your proprietary information? Knowing what you want the penetration test to test for is the first step in deciding what type of penetration test is right for your organization.
After deciding upon what the purpose of a penetration test is you will be able to select the type, or multiple types, of penetration test that will best accomplish your objective. This is then followed by deciding upon the scope of the penetration test. In the case of a network penetration test you may wish to restrict the scope to specific IP addresses or domains, or you may wish for all IP’s and domains owned by your company to be tested by the penetration tester. This scope definition will also help you clarify what methodology you wish the penetration tester to utilize when performing the penetration test. If your goal is to test your vulnerability to internet based attackers against all of your company’s production assets, you would probably ask for a network penetration test including all web applications performed with the black box methodology. In other words, restricting the scope to only production assets to reduce the time of the engagement but asking them to attack those assets as a malicious internet based threat would.
On the other hand, maybe your goal is to test for your organization’s vulnerability to an insider threat. You could then ask for an on site penetration test involving Wi-Fi, Social Engineering, and Network Penetration using a white box methodology. While this type of test may involve techniques from several different types of penetration testing, by stating the goal as that of being testing for insider threat the penetration tester has specific attack venues to attempt via white box methodology which can significantly reduce the time needed to perform the engagement.
Red Team Testing
There is one final type of testing that goes by several names but is often referred to within the Information Security Community as Red Team testing. This is basically a “gloves off” approach to penetration testing in which the penetration tester will perform any and all techniques they can to attempt to gain access to your companies’ sensitive information. Engagements of this variety often take much longer to complete and thus be more expensive, however, they are also the best way to gain a complete look into the state of information security within your company. It reflects best the threat an organization faces when under serious attack such as by state sponsored attackers. The team performing the penetration test will often break a Red Team engagement into several phases, each consisting of a different methodology and attack technique so that they can accurately simulate the various threats that your organization may face.
Post Engagement: What to Expect
After a penetration testing engagement is complete the final deliverable to an organization should be a report in which the penetration tester outlines the results of the test. Typically, report writing takes the same amount of time as the actual engagement, so for a 5 day engagement expect 5 days for the penetration tester to complete the report. Upon delivery of the report to the organization, a post-engagement meeting should be held between the penetration tester and the organization’s management team to discuss the findings in the report.
A good report will include an executive summary of the engagement which includes the purpose, a general idea of methodology and techniques utilized, and an overview of the findings. The report should contain a technical section that can be disseminated to the organization’s technical teams which outlines how the penetration tester was able to exploit vulnerabilities and what that allowed them access too. In addition, it should provide a detailed breakdown of each vulnerability found, whether or not it was exploited, the severity of the vulnerability, and a quick note on how to go about fixing the vulnerability. This technical portion should then be used by the organization to improve their security posture.
Conclusion
When it comes to testing your organization’s security posture there is no better test than a penetration test. It can be used to test with a limited scope such as only your web application, it can be used to test your entire network including onsite Wi-Fi and secured areas via physical penetration testing or within the much wider scope of a red team engagement . And it can be performed in a couple of different ways, depending on what sort of threat to your organization you wish to test for and the time constraints on when you need the final report. Network penetration testing will often be longer than application penetration testing, however it also usually includes website application penetration testing within the scope. A physical penetration test may be done quite quickly; however, it will be more expensive due to the need of the penetration testing team to actually be on site in order to perform it. No matter the type of testing, you should always expect the final deliverable to be a detailed report that will not only detail the issues found but also give you a road map to addressing them.
To receive a sample report or to discuss your penetration testing needs please contact us.
Previous Articles from This Series: