Tag Archives: security risk assessment

Security Penetration Testing: What Goes on in a Penetration Test?

In the course of security penetration testing, the tester will probe your organisation’s computer and network defences, and will then attempt to breach them (with your permission), but without causing the damage that a malicious hacker might cause. The results are explained in a report which also includes recommendations for actions to correct any security loopholes in your systems.

Security penetration testing is an essential part of any organisation’s information security provision. Many security controls you implement for your data, you will never know for sure how effective they are until you actively test them by commissioning security Penetration Test (also known as “pen testing”).

In order to get the best out of the test results, it is important to be aware of the general pattern taken by a penetration test. This also makes it possible to check that your provider is following the correct methodology. The main stages are as follows:

* Gaining access: This is the point where security penetration testing comes into its own, as the test demonstrates whether or not a hacker would be able to gain access to your network.

* Denial of service: Finally, the tester may seek to discover whether a “denial of service” attack is possible, whereby resources become unavailable to legitimate users.

In order to get the best out of the test results, it is important to be aware of the general pattern taken by a penetration test. For this reason, some organisations prefer the security penetration testing to stop short of those stages. In general, penetration testing should be carried out at regular intervals, and certainly after major changes to the computer network. Used correctly, pen tests can be an indispensable aid to your organisation’s information security management system.

* Enumeration: This stage involves attempting active connections to your systems in order to discover information (such as valid account names) that might be exploited by hackers. This stage and the two preceding stages are all legal: the further stages would not be legal without your organisation’s written permission.

* Covering one’s tracks: A skilled pen tester will attempt to cover his/her tracks so that the attack remains undetected, in order to demonstrate that this is possible, since a stealth attack is the most dangerous kind.

For this reason, some organisations prefer the security penetration testing to stop short of those stages. In general, penetration testing should be carried out at regular intervals, and certainly after major changes to the computer network.

* Creating a back door: A further refinement is to create a “back door” that will make it easier to access your systems in the future. It will certainly be highlighted in the report as a major weakness of your systems if the penetration tester finds that this is possible.

* Scanning: Standard tools are used to map your network in a non-intrusive way, determining the number of computers and the network configuration.

* Increasing access rights: Having gained access, the pen tester now seeks to increase his/her access rights to the highest level possible, in order to find out whether your network is vulnerable to this kind of “exploit”. A hacker who succeeds in gaining high-level access would be able to wreak considerable damage on the systems.

* Pilfering and theft of data: Moving into an even more active mode, the security penetration testing procedure now covers the attempted theft of information.

* Foot-printing: Public sources of information are used to gather information about your organisation’s Internet presence.