A famous 2011 article by security adviser Roger Grimes is intriguingly titled, “To beat hackers, you have to think like them.” In the article, Grimes explains that IT security professionals must view IT systems through the eyes of hackers — and search ways to break into these systems, identify weaknesses, and create robust security measures.
That is exactly what penetration testing is all about.
What Is Penetration Testing?
Understanding penetration testing and the value it provides is crucial to your overall risk management strategy. Unlike traditional defensive cybersecurity strategies, which focus on remediating a security event and mitigating its harm, “pen testing” is an offensive security testing strategy that focuses on prevention.
Penetration tests are different from a vulnerability scan, which is an automated, high-level security assessment to identify known vulnerabilities, a lack of security controls, and common misconfiguration errors.
A penetration test (pen test) is also known as a white hat attack or ethical hacking. It is performed by a skilled penetration tester using detailed, hands-on, manual testing techniques and tools to simulate a cyber-attack. Testers explore the target system and its applications, devices, services, and user behaviors to identify vulnerabilities and security flaws.
A pen tester investigates the potential effects of these flaws on the network, and ultimately on the organization. The tester may also:
- Discover security policy errors
- Ascertain weaknesses in threat identification processes and security controls
- Review security awareness in the organization
- Identify compliance issues related to relevant industry standards or regulations, such as HIPAA, PCI DSS, or GDPR
The goal is to identify security weaknesses or vulnerabilities that a threat actor, cybercriminal, or data thief could exploit to compromise the system, disrupt operations, demand a ransom, or steal data. The tester may leverage some of these methods:
- Social engineering to convince an insider to reveal sensitive information such as login credentials
- Send phishing emails to access critical accounts or test employees’ security awareness
- Use stolen or unencrypted passwords to access sensitive systems or data
At the end of a pen test, the tester prepares a detailed report which allows security teams and network administrators to understand and remediate the identified vulnerabilities and exploits.
What Are the Different Types of Penetration Tests?
There are many types of penetration tests, based on the system being tested.
Network Pen Tests
The ethical hacker tests network security by hacking into the network via various attack vectors such as:
- Phishing emails
- Third-party software
- Password guessing
Network pen tests can be done locally or remotely.
Hardware Pen Tests
The tester tries to exploit vulnerabilities in internet-enabled devices, such as security cameras, networked printers, and smart home systems.
Web Application Pen Tests
Testers check the security of enterprise web apps, APIs, and software.
Mobile Pen Tests
The tester attempts to find vulnerabilities in the organization’s mobile app.
Wireless Pen Tests
This test involves connecting to open, less secure hotspots or Wi-Fi networks to understand how threat actors may exploit them to compromise the enterprise network.
Physical Pen Tests
In such tests, the tester tries to break into a physical space to gain unauthorized access to its IT systems or other physical assets, perhaps by posing as a contractor or service technician.
The ‘Boxes’ of Pen Tests
Pen tests can also be classified as black box, white box, or gray box, depending on how much information the tester has about the target system.
Black Box Pen Tests
The tester has no specific information about the target system, only high-level information that could be found anywhere, such as the company name. The tester carries out detailed reconnaissance to find and exploit vulnerabilities. Since testers work “blind,” black box pen tests take a lot of time to perform; but these tests also closely resemble what a hacker would know when approaching a target.
White Box Pen Tests
The tester has prior information about the target system, including its IP addresses, network infrastructure schematics, operating system, source code, and so forth; which the tester uses to simulate an internal security attack. Although not as detailed as black box tests, white box pen tests still provide valuable insights.
Gray Box Pen Tests
Before starting the test, the ethical hacker has the knowledge of a user with elevated privileges. This method is suitable for simulating the possible actions of internal attackers with long-term access to the target system.
The Differences Between Internal Penetration Testing and External Penetration Testing
Every pen test is a multi-phased process involving these steps:
- Reconnaissance (intelligence gathering)
- Threat modeling
- Exploitation and post-exploitation
- Analysis and reporting
The specific goals, methodology, conditions, and targets, however, can differ quite a bit depending on whether the enterprise chooses internal penetration testing or external penetration testing.
In external pen testing, the tester tries to simulate how an external user without proper access and permissions could exploit open vulnerabilities in the internal network. Essentially, the tester acts as a malicious outsider or hacker who might try to attack the organization.
Internal pen testing is about understanding how a threat actor with inside access could exploit the network’s vulnerabilities. It also tries to determine what information could actually be exposed to this insider.
To gain a complete understanding of system security weaknesses and strengthen the enterprise security posture, it’s usually best to conduct both external and internal pen tests.
What Is Internal Penetration Testing?
An internal pen test is usually done after completing an external pen test. It imitates an insider threat and identifies how an attacker with internal access may compromise or damage the network, systems, or data.
Typically, the starting point of an internal network penetration test is a user with standard access privileges. The tester may work with these common scenarios:
- An unhappy rogue employee (malicious insider) who tries to compromise or damage the system
- An external malicious attacker who accesses the system via social engineering, phishing scam, or stolen credentials
Most organizations focus on external security threats. Yet internal threats — coming from malicious insiders, careless employees, insecure third-party vendors, and even clients or customers — are equally (if not more) serious than external threats.
Research shows that from 2018 to 2020, the number of insider incidents increased by 47 percent. Moreover, in 2020 the total average cost of insider threats was $11.45 million, 31 percent higher than the $8.76 million in 2018. In 2021, insider threat incidents are expected to grow by 8 percent, and one-third of data breaches are projected to result from insider threats. These threats can come from:
- Weak or shared passwords
- Weak access controls
- Insecure file sharing or unencrypted data
- Network misconfigurations
- Lack of awareness about social engineering and phishing
- Ransomware attacks
- Insecure remote networks and devices
It’s crucial to identify these threat vectors and address them on priority. And for this, internal penetration testing is critical.
How to Do an Internal Pen Test
In internal pen tests, the tester may test:
- Computer systems, workstations, and mobile devices
- Wi-Fi networks
- Access points
- Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)
- Internet-connected HVAC systems
- Employees (behaviors and procedures)
Once the tester identifies security vulnerabilities in these components, he or she will try to exploit them to understand the potential for unauthorized access and damage. The tester will also provide a detailed report, so the enterprise security team can take the necessary actions to close discovered vulnerabilities as soon as possible.
There are many ways to conduct internal pen tests. The tester may use privilege escalation, steal credentials, spread malware, leak information; or carry out other malicious activities like man in the middle (MitM) attacks. Other common internal pen testing methodologies include:
- Internal network scanning
- Port scanning
- System fingerprinting
- Firewall testing
- Manual vulnerability testing
- Password strength testing
- Database security controls testing
- Network equipment security controls testing
The tester may also carry out internal network scans to find known Trojans and check third-party security configurations to minimize the risk of supply chain attacks.
To carry out these tests, white hat hackers can choose from many tools, including:
- Nmap: An open-source port scanner utility for network discovery and security auditing
- Rapid 7Metasploit: A framework to probe and verify enterprise vulnerabilities
- Wireshark: An open-source network protocol analyzer to assess vulnerabilities in network traffic in real-time
Let ZenGRC Help With Penetration Testing
To protect your organization from cyberattackers, hackers, and even malicious insiders, it’s essential to think like them, simulate their actions, and actively test the enterprise network. A robust penetration testing plan is an integral part of your risk management strategy.
Instead of using spreadsheets to manage your information security program, adopt ZenGRC’s governance, risk management, and compliance platform to streamline tasks and documentation management. Improve visibility with automated workflows, insightful reporting, and dashboards.
Schedule a demo today to see how ZenGRC can strengthen your security posture.