October 17, 2019
Penetration testing is the safest way of finding out how well your security protocols protect your system. Ethical hackers expose the weaknesses in your security, giving you the heads up on what needs to be done to reduce your level of risk.
You might think of a penetration test as being necessary during an initial assessment of your security procedures, or as part of industry regulatory requirements, or perhaps with a new business acquisition.
In truth, Penetration Testing is a good, if not crucial tool for any of these circumstances.
How is a Penetration Test carried out?
Rigorous (and regular) penetration testing helps you assess your existing security strategy, plan future improvements and prove to industry bodies and customers alike that you are doing everything you can to protect your organisation’s cyber security.
If you’re planning a penetration test project, you probably want to know what the process is.
Do you just call someone and ask them to try and hack your system? Not quite.
Penetration testing can be broken down into multiple phases. What happens in each phase will vary depending on the type of organisation and the type of test conducted, but the methodology is basically the same.
The Life Cycle of a Penetration Test
This article, adapted from our eBook, ‘The Ultimate Handbook to Penetration Testing‘, we discuss each of the project stages in detail:
STEP 1: Pre-Engagement Analysis
Prior to commencing this cyber assessment, it’s imperative that both you and your chosen security service provider have agreed on the scope of the project, the objectives, budget, etc. Beginning a project without first pinpointing these details will be a waste of time and money. The tester might be looking in the wrong place or the results could be watered down by having too broad a scope.
STEP 2: Intelligence Gathering
The penetration tester researches your organisation using all the available means at their disposal, from search engines to the dark web. This phase exposes all the data that is publicly available and how this could be used against you and your organisation. For example, if your CEO has a public Facebook profile and a special relationship with a cat named Wendy, that might give your attackers a little insight as to what his password might be.
STEP 3: Vulnerability Analysis
The test moves into a more active phase. The tester scans your system for vulnerabilities, looking at your overall IT infrastructure configuration and searching for any open ports or weaknesses that could be exploited.
STEP 4: Exploitation
The penetration testers begin to exploit those vulnerabilities. This phase identifies which of the vulnerabilities enables the tester to gain ‘unauthorised’ access to your system/information. The goal of this phase is to confirm the existence of the vulnerability and how exploitable it is.
STEP 5: Post-Exploitation
Getting in might seem like the key point of a penetration test, but in reality customers are most interested in what attackers are able to do once they’ve gained access. The tester will use all available means including misconfigured services, permissions and other techniques to gain the highest privileges on the vulnerable targets. This might include, for example, trying to extract or manipulate data, or – in the case of a physical breach – attempting to remove a laptop or tablet.
STEP 6: Housekeeping
Having successfully completed the test, the tester must then make sure they leave everything as they found it. Any scripts or files planted on the target must be removed, and any virtual door that has been pried open should be returned to its original state. It should be as though the test never happened.
STEP 7: Final Report Delivery
The information contained in the penetration test report is highly sensitive. It should therefore only be shared with previously agreed people in hard copy format and only face to face.
STEP 8: Meeting & Debrief
A final meeting with the security service provider gives you the opportunity to discuss the report’s findings in detail. The penetration tester should be able to recommend next steps to improve security, whether that be new protection software or staff security awareness training. Make the most of this meeting by involving the appropriate personnel so that it is easier to build engagement with future cyber security projects.
Further reading
- Questions to ask your pen test provider
- On-demand webinar: How to develop security vulnerability management programmes
- Pen-tester tales: Password are a security weak spot
- The difference between a Vulnerability Scan and a Penetration test
- A buyers guide to penetration testing services
About Comtact Ltd.
Comtact Ltd. is a government-approved Cyber Security and IT Managed Service Provider, supporting clients 24/7 from our ISO27001-accredited UK Security Operations Centre (SOC).
Located at the heart of a high security, controlled-access Tier 3 data centre, Comtact’s state-of-the-art UK Cyber Defence Centre (SOC) targets, hunts & disrupts hacker behaviour, as part of a multi-layered security defence, to help secure some of the UK’s leading organisations.