Penetration Testing

A penetration test, colloquially known as a ‘pen test’ or ethical hacking, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system; this is not to be confused with a vulnerability assessment. The test is performed to identify weaknesses (also referred to as vulnerabilities), including the potential for unauthorized parties to gain access to the system's features and data, as well as strengths, enabling a full risk assessment to be completed.

The process typically identifies the target systems and a particular goal, then reviews available information and undertakes various means to attain that goal. A penetration test target may be a white box (about which background and system information are provided in advance to the tester) or a black box (about which only basic information—if any—other than the company name is provided). A gray box penetration test is a combination of the two (where limited knowledge of the target is shared with the auditor). A penetration test can help identify a system's vulnerabilities to attack and estimate how vulnerable it is.

Security issues that the penetration test uncovers should be reported to the system owner. Penetration test reports may also assess potential impacts to the organization and suggest countermeasures to reduce the risk.

The process of penetration testing may be simplified into the following five phases:

  1. Reconnaissance: The act of gathering important information on a target system. This information can be used to better attack the target. For example, open source search engines can be used to find data that can be used in a social engineering attack.

  2. Scanning: Uses technical tools to further the attacker's knowledge of the system. For example, Nmap can be used to scan for open ports.

  3. Gaining access: Using the data gathered in the reconnaissance and scanning phases, the attacker can use a payload to exploit the targeted system. For example, Metasploit can be used to automate attacks on known vulnerabilities.

  4. Maintaining access: Maintaining access requires taking the steps involved in being able to be persistently within the target environment in order to gather as much data as possible.

  5. Covering tracks: The attacker must clear any trace of compromising the victim system, any type of data gathered, log events, in order to remain anonymous.

Once an attacker has exploited one vulnerability they may gain access to other machines so the process repeats i.e. they look for new vulnerabilities and attempt to exploit them. This process is referred to as pivoting.

Types of Pen-Testing

Internal Pen-Testing

Focuses on determining the potential business impact of a security breach and validating the level of effort required for an attacker to overcome your security infrastructure. After access is gained, Purple Shield identifies configuration issues and vulnerabilities that can be exploited. Using that information, Purple Shield attempts to complete several objectives that are designed to replicate common attacker vectors.

Web Application Pen-Testing (Authenticated and Unauthenticated)

Focuses on evaluating the security of a web application by using aspects of the Penetration Testing Execution Standard (PTES) and the OWASP standard testing checklist, and involves an active analysis of the application for any weaknesses, technical flaws or other vulnerabilities. You’ll receive an assessment of the potential impact, steps to reproduce the issue if applicable, and FRSecure’s recommendations for remediation. 

External Pen-Testing (Authenticated and Unauthenticated)

Consists of enumerating and verifying vulnerabilities that could be exploited by external attackers to gain unauthorized access to your systems. Purple Shield’s team plays the role of an external attacker, attempting to exploit vulnerable systems to obtain confidential information or compromise network perimeter defenses.

Physical Pen-Testing

Measures the effectiveness of security training, internal procedures, and technical controls by attempting physical access to your organization. Purple Shield staff will pose as a legitimate person or company (fire inspector, exterminator, power company technician, etc.) and then attempt to gain access to restricted areas, obtain a physical network connection, or access unattended workstations or servers.