Penetration testing is a subset of ethical hacking. Ethical hacking is typically referred to as the use of computer attack techniques to find security flaws with the permission of the target owner and the goal of improving the target’s security.
Penetration testing is more narrowly focused, dealing with the process of finding flaws in a target environment with the goal of penetrating systems, actually taking control of them. Penetration testing, as its name implies, is focused on penetrating the target organization’s defenses, compromising systems and getting access to information.
Penetration Tests and Red Team Exercises are one of the Council on CyberSecurity Critical Security Controls. The Council provides the following explanation for why this is a critical control:
Attackers often exploit the gap between good defensive designs and intentions and implementation or maintenance. Examples include: the time window between announcement of a vulnerability, the availability of a vendor patch and actual installation on every machine; well-intentioned policies which have no enforcement mechanism (especially those intended to restrict risky human actions); failure to apply good configurations and other practices to the entire enterprise, or to machines that come in-and-out of the network; and failure to understand the interaction among multiple defensive tools, or with normal system operations that have security implications.
In addition, successful defense requires a comprehensive program of technical defenses, good policy and governance and appropriate action by people. In a complex environment where technology is constantly evolving and new attacker tradecraft appears regularly, organizations should periodically test their defenses to identify gaps and to assess their readiness.
Penetration testing starts from the identification and assessment of vulnerabilities that can be identified in the enterprise. It complements this by designing and executing tests that demonstrate specifically how an adversary can either subvert the organization’s security goals (e.g., the protection of specific Intellectual Property) or achieve specific adversarial objectives (e.g., establishment of a covert Command and Control infrastructure). The result provides deeper insight, through demonstration, into the business risks of various vulnerabilities.
Penetration testing is vital for determining the business risk of an organization and is also a requirement in some industries. For instance, many organizations that process credit card transactions must be in compliance with the PCI Data Security Standard (PCI DSS). The PCI DSS v3.1, Section 11.3 published April 2015 requires organizations, at a minimum, to implement a methodology for penetration testing; perform external penetration testing at least annually; and perform internal penetration testing at least annually.
Penetration testing involves modeling the techniques used by real-world computer attackers to find vulnerabilities and, under controlled circumstances, to exploit those flaws in a professional, safe manner according to a carefully designed scope and rules of engagement to determine business risk and potential impact, all with the goal of helping the organization improve security practices.
Please contact us for information on our penetration testing services.