Since the service of penetration testing has emerged, clients got used to naming it a different way such as pen test, pentest or even paintest. A penetration testing is a simulation of a real cyberattack in certain conditions, provided below. The target is to find the way to access the company’s or person’s assets (funds, critical data, etc.)
The key difference between a penetration test and a real hacker attack is restrictions.
Law. All activities are approved and permitted by the client. Black hat hackers do not ask for any permissions.
Time. Black hat hackers are not pressed for time, they can follow the “victim” for years, finding the so-called security holes, vulnerabilities in systems they use, sending bunches of phishing messages. White hat or ethical hackers stick to deadlines, with time limits up to a couple of weeks.
Budget. Black hat hackers may invest heavily in different tools, notorious cyber weapons, including exploits (0-day, malicious viruses, available on black markets). Ethical hackers are acting within the clients’ budgets.
Penetration depth. Black hat hackers feel free to target any systems, which they are able to breach. Ethical hackers honor the contracts, namely they target the systems enlisted by the client.
To compensate for limitations ethical hackers are granted some “benefits”:
The total amount of information available and the client’s involvement. In terms of penetration testing, it is known as white, gray and black box. The white box is a method where a penetration tester has a full knowledge of infrastructure, processes, systems (even source code review) being attacked and the client staff is aware of testing. The black box is a method when a penetration tester has no knowledge or a low level of knowledge about systems being attacked (organization name, website, etc.) Besides, only certain people among client’s staff are aware of a penetration test, commonly top managers.
Over time, classical penetration testing has no longer satisfied clients – ethical hackers would discover one or a range of vulnerabilities, got the required access and completed the project. Clients wanted ethical hackers to find as many vulnerabilities as possible or even all of them. So, a new service appeared – a cybersecurity audit, often miscalled a penetration test, but in fact penetrations test would be correct.
As crowdsourcing became popular, bug bounty programs emerged all over the world, where: clients – large companies, contractors – ethical hackers. Idea – a client places a bid for testing a company or a product, including limitations and reward for vulnerabilities found (depending on severity level), and ethical hacker looks for vulnerabilities and gets a reward, if successful. There is also another kind of bug bounty – bug bash, a time-limited event as a part of a large conference. But there are disadvantages:
A hacker is not always motivated to disclose vulnerability to the product owner, as he can sell it for a better price on the darknet or to organizations that use vulnerabilities to create cyberweapons. There are companies selling vulnerabilities to intelligence agencies, such as French Vupen, Italian Hacking Team, Israeli Celebrite, etc.
Product developers can conspire with bug hunters to intentionally leave security holes in the product, easily “found” by the right hacker, and then they share rewards…
– Is it possible to make penetration testing cheaper? Can’t you just scan our resources automatically for vulnerabilities and give us a report?
– Yes, we can!
So, a vulnerability scanning service emerged, which is often provided as penetration testing, being just a small part of it.
Finally, what is penetration testing and how is it performed?
Reconnaissance. A passive part – information search from open sources (OSINT), which is invisible to the client. An active part – using specialized tools for scanning the client’s resources, that can be detected by intrusion detection systems.
Analysis of data received from the previous stage and planning future attack scenarios.
Attempting attacks planned at the previous stage. Attacks are held under restrictions and supervised by the client to avoid critical system’s service interruption.
Penetration testing results are provided as a multi-layered report, including information both for business and technical minds. A perfect penetration testing practice means assessment of applications business logic and vulnerabilities’ impact on company’s business processes.
Penetration testing may cover a full range of technologies – network, web, mobile, desktop applications, IoT, operating technologies (OT, ICS, SCADA), etc. Hacking may also include internal penetration testing (when an attacker is present inside the organization’s network), social engineering as well as physical intrusion using technology (ID card cloning, etc.), and sometimes bypassing mechanical door locks (lock picking).
Penetration testing market is growing and expected to reach $3.2 billion by 2023 due to the increase of connected devices worldwide, web and cloud-based business applications, the growing need for IoT and BYOD security.