subject: Why Penetration Tests Are A Critical Component To Your Security Posture [print this page] Penetration testing is probably the most trusted method for assessing security risks of computer systems, web applications and even brick-and-mortar facilities. Its roots date back to the 1970s when, on the assumption that the best way to assess security was to try to break it, the Department of Defense began extensive penetration testing to demonstrate the security weaknesses in its computer systems. Even after 4 decades, organizations continue to rely on penetration tests to identify vulnerabilities before a criminal does.
Over the years, penetration tests have evolved into a battery of specialized types of tests used to determine how vulnerable certain systems or assets are to malicious attacks. Despite the evolution each test maintains the original structure of simulating real-world attacks using tools and techniques employed by actual criminals in order to establish a baseline assessment of an organizations security posture.
The most common types of penetration tests used today are:
External Penetration Tests: These originate outside the network perimeter and are used to examine external IT systems and assets for vulnerabilities. The test is a stair-step process that mimics the actions of an actual attacker exploiting a minor weakness in order to gain greater access to the system. To simulate an actual external attack, testers are given only minimal information about the targeted system. They are allowed to scour through any publicly available source - such as web pages or social networks - to collect usable information that would assist in the hack. Testers then are free to use common hacking tools to exploit any available vulnerability. The results allow the organization to prioritize a plan of action and address each weakness individually.
Internal Penetration Tests: These tests examine systems and assets "behind the firewall" for any weaknesses that can be exploited by an attacker. The test usually mimics an attack originating from inside the company - perhaps from a disgruntled employee, an unauthorized visitor, or an external hacker who managed to get to the internal network. Testers are typically given a low level of access to the network and provided with only basic information that someone with the provided privileges would normally have. The tester then tries to expand their level of access through privilege escalation and ultimately access unauthorized information.
Web Application Tests: Because firewalls and intrusion detection systems can't readily defend against attacks on web applications, they are often an attractive entry-point for hackers. Even worse, a relatively simple vulnerability within the application can often be exploited to gain access to confidential information. Although the best practice is to test the web application while still in development, that is not always an option for organizations that integrate 3rd-party apps into their electronic infrastructure. That is why it is imperative that special attention be given to testing these web-based applications on a regular basis.
Non-traditional Penetration Tests: There are many sensitive areas outside of the electronic infrastructure that are quite vulnerable to malicious exploits. Social Engineering testing evaluates the effectiveness of the organization's internal security controls, security policies and awareness programs. The tests are usually very successful in revealing vulnerabilities criminals commonly exploit to create a security breach. These tests allow organizations to not only assess its Information Security policies and the employees' adherence to the policies, but also identify security weaknesses that exist within the actual facility.
Penetration testing is not the end all answer for security testing. It does not replace other security measures such as comprehensive vulnerability assessment, a full security assessment, Policy Assessment or a comprehensive risk assessment. Nor is it simply a necessary process to satisfy compliance obligations. Rather, a penetration test is a valuable part of comprehensive security program that can provide clear and concise direction on how to secure an IT infrastructure from real-world attacks and the potential risk of vulnerabilities.
IT Systems change, new threats emerge, and business processes are updated. Testing should be repeated at frequent intervals and should be part of an overall IT security compliance program that includes comprehensive security assessments on the internal and external network, security policy reviews and end user security awareness.
