What is Penetration Testing?
A penetration test subjects a system or a range of systems to real life security tests. The benefit of a complete penetration suite compared to a normal vulnerability scan system is to reach beyond a vulnerability scan test and discover different weaknesses and perform a much more detailed analysis. The user can perform specified attacks in high detail depending on his specific choices and needs. This is normally done via the many advanced techniques and utilities of a security consultant.
Penetration Testing Compared to Vulnerability Scanning
The advantage of a penetration test compared with an automated vulnerability scan is the involvement of the human element versus automated systems. A human can do several attacks based on skills, creativity. and information about the target system that an automated scanning can not do.
Several techniques like social engineering can usually be done by humans alone since it requires physical techniques that have to be performed by a human and is not covered by an automated system.
The Penetration Test Process
Discovery: The Penetrator performs information discovery via a wide range of techniques—that is, whois databases, scan utilities, Google data, and more—in order to gain as much information about the target system as possible. These discoveries often reveal sensitive information that can be used to perform specific attacks on a given machine.
Enumeration: Once the specific networks and systems are identified through discovery, it is important to gain as much information possible about each system. The difference between enumeration and discovery depends on the state of intrusion. Enumeration is all about actively trying to obtain usernames as well as software and hardware device version information.
Vulnerability Identification: The vulnerability identification step is a very important phase in penetration testing. This allows the user to determine the weaknesses of the target system and where to launch the attacks.
Exploitation and Launching of Attacks: After the vulnerabilities are identified on the target system, it is then possible to launch the right exploits. The goal of launching exploits is to gain full access of the target system.
Denial of Service: A DOS (Denial of Service) test can be performed to test the stability of production systems in order to show if they can be crashed or not. When performing a penetration test of a preproduction system, it is important to test its stability and how easily can it be crashed. By doing this, its stability will be ensured once it is deployed into a real environment.
It is important to perform DOS testing to ensure the safeness of certain systems. If an attacker takes down your system during busy or peak hours, both you and your customer can incur a significant financial loss.
Reporting: After the completion of the penetration test, it is important to get user-customized reporting suites for a technical and/or management overview. This includes the executive summary, detailed recommendations to solve the identified vulnerabilities, and official security ID numbers for the vulnerabilities. The reports come in different formats such as html, pdf, and xml. Furthermore, all the reports are open to be modified as of the user’s choice.