Penetration testing

The types of penetration testing [updated 2019]

Ravi Das
September 4, 2019 by
Ravi Das

In today's corporate environment, there is no doubt that security is now one of the main issues being addressed. Every day, you hear about Cyber hackers attacking computer systems and servers, stealing everything from passwords to financial information and data.

No matter how hard the management and IT teams at these businesses try to combat these types of security breaches, the hacker is always one step ahead. In fact, this can be very much likened to that of a cat and mouse game.

But, the good news is that there is a way a company can find out security weaknesses and vulnerabilities before the Cyber Hacker can. This can be accomplished through an iterative process known as "Penetration Testing", or simply known as a "Pen Test" for short.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

What is Pentesting?

In simple terms (although the actual testing can be quite complex a Pen Test examines any weaknesses in the IT infrastructure of a corporation by trying to discover and exploit them, in a safe manner. These vulnerabilities can be found in the software itself at these particular points of entry:

  • Backdoors in the Operating System;
  • Unintentional flaws in the design of the software code;
  • Improper software configuration management implementation;
  • Using the actual software application in a way it was not intended to be used.

PenTesting can be accomplished either through manual or automatic processes and is often targeted towards the following endpoints:

  • Servers;
  • Network endpoints;
  • Wireless networks;
  • Network security devices (this is hit upon the most in an actual Pen Test, which includes the Routers, Firewalls, Network Intrusion devices, etc.);
  • Mobile and wireless devices;
  • Other areas of exposure, such as that of software applications and the code behind it.

However, it should be noted that the actual Pen Test just does not stop at this level. The primary goal is to go as far and deep as possible into the IT infrastructure to get to the electronic assets of a corporation. The goal is not to just strike hard the first time, but to also strike even harder covertly at random times as well.

What does Penetration testing involve

To uncover the vulnerabilities which can be found in type or kind of Web Application, there are three types of Pen Testing which can be used, which are as follows:

  • Black Box Testing;
  • White Box Testing;
  • Gray Box Testing.

Black box penetration testing

In a real-world Cyber-attack, the hacker probably will not know all of the ins and outs of the IT infrastructure of a corporation. Because of this, he or she will launch an all-out, brute force attack against the IT infrastructure, in the hopes of trying to find a vulnerability or weakness on which they latch onto.

In other words, in this type of Pen Test, there is no information given to the tester about the internal workings of the particular Web Application, nor about its source code or software architecture. As a result, this particular type of test can take a very long time to complete, so very often, the tester will rely upon the use of automated processes to completely uncover the weaknesses and vulnerabilities. This type of test is also referred to as the "trial and error" approach.

White box penetration testing

In this type of Pen test, also known as "Clear Box Testing," the tester has full knowledge and access to both the source code and software architecture of the Web Application. Because of this, a White Box Test can be accomplished in a much quicker time frame when compared to a Black Box Test. The other advantage of this is that a much more thorough Pen Test can be completed.

But, this approach also has its set of disadvantages. First, since a tester has complete knowledge, it could take more time to decide on what to focus specifically on regarding system and component testing and analysis. Second, to conduct this type of test, more sophisticated tools are required such as that of software code analyzers and debuggers.

Gray box Penetration testing

As the name implies, this type of test is a combination of both the Black Box and the White Box Test. In other words, the penetration tester only has partial knowledge of the internal workings of the Web Applications. This is often restricted to just getting access to the software code and system architecture diagrams.

With the Gray Box Test, both manual and automated testing processes can be utilized. Because of this approach, a pen tester can focus their main efforts focus on those areas of the Web Application, which he or she knows the most about, and from there, exploit any weaknesses or vulnerabilities. With this particular method, there is a higher probability that more hard-to-find "security holes" will also be discovered as well.

The Penetration testing teams

Very often, when it comes, Pen Testing, the image of just one person doing the test is conjured up. But keep in mind, the best types of Pen Testing come into play when multiple testers are utilized and are broken down into three teams, which are as follows:

  • The Red Team
  • The Blue Team
  • The Purple Team

The Red team

The Red Team can be considered as those individuals who are the actual Pen Testers. Their primary goal and objective are to mimic or emulate the mindset of an attacker, trying to break down through all of the weaknesses and vulnerabilities which are present. In other words, it is the Red Team which attacks all fronts possible.

The Blue team

The Blue Team can be considered that personnel from within the infrastructure of the business itself. This can be the IT Security team, and their primary goal and objective are to thwart off and defend against any attacks from the Red Team. It is important that anybody participating on the Blue Team must possess the mindset of constant proactiveness and vigilance to defend the corporation against any and all attacks.

If you think about it, both the Red Team and Blue Team can be viewed as the two sides of a particular coin, or the Ying and the Yang. The summation goal of these two teams is great to enhance the security posture of the corporation on a constant basis, by sharing feedback with another. However, this does not always happen. Thus there is the need for the Purple Team.

The Purple team

The Purple Team can be viewed as the composite of both the Red Team and the Blue Team. In other words, the Purple Team adopts the security controls and tactics from the Blue Team, as well as the security weaknesses and vulnerabilities which are discovered by the Red Team. This is then all translated into a one, single narrative which can be shared across all of the teams fully to implement a policy of continuous and constant security improvements for the corpora

In other words, the Purple Team can be viewed as literally the "bridge" between the Red Team and the Blue Team, to help instill a sense of continuous integration amongst the two. To fully ensure that the Purple Team is providing the most robust lines of communication and information, it should remain as a separate entity and neutral of all views and circumstances, so there is no bias.

The types of Penetration tests

Now that the teams have been divided and their roles and responsibilities clearly defined, there are some different types of Pen Testing which can be engaged. These are as follows:

  • Network Services
  • Web Application
  • Client Side
  • Wireless
  • Social Engineering

Network services

In the word of Pen Testing, this is viewed as the most common and most in-demand test to conduct for a client. This type of test involves finding security weaknesses and vulnerabilities in the network infrastructure of a corporation. This test can be done locally at the place of business, or even be done remotely. It is highly recommended that both approaches be utilized, to glean the most information possible. This type of test involves examining the following:

  • Firewall configuration testing;
  • Stateful analysis testing;
  • Firewall bypass testing;
  • IPS evasion;
  • DNS attacks which include:
    • *Zone transfer testing;
    • *Any types or kinds of switching or routing issues;
    • *Any other required network testing.

Some of the most common software packages which are examined in this test include:

  • Secure Shell (SSH);
  • SQL Server;
  • MySQL;
  • Simple Mail Transfer Protocol (SMTP);
  • File Transfer Protocol;
  • Microsoft Outlook login pages.

It is important to note that Network Service testing is not considered to be a deep kind of testing. This is left to the Web Application Test.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Web application

This can be viewed specifically as a "deeper dive" of the test, in that it is much more thorough and detailed. With this test, any security vulnerabilities or weaknesses are discovered in Web-based applications. Such components as ActiveX, Silverlight, and Java Applets, and APIs are all examined. This type of test is considered to be much more complex, and as a result, a large amount of time is needed to correctly and thoroughly test the Web application in question.

Client side

This type of test is designed to find any types or kinds of security vulnerabilities on software that can be exploited very easily on a client computer, such as an employee workstation. Examples of this include Web browsers (such as that of Internet Explorer, Google Chrome, Mozilla Firefox, Safari), content creation software packages (such as MadCap Flare or Adobe Framemaker and Adobe RoboHelp), media players, etc.

Wireless

As the name implies, this test involves examining all of the wireless devices which are used in a corporation. This includes such items as tablets, notebooks, smartphones, etc. The following are also tested to find any security holes:

  • Wireless protocols (to determine which ones are deemed to be "weak" in nature);
  • Wireless access points (to determine which ones are "rogue");
  • Administrative credentials.

In most cases, a Wireless test is conducted at the client site, because the Pen Testing equipment has to be in reasonably close proximity to the wireless network signals.

Social engineering

This type of test involves attempting to get confidential or proprietary information by purposely tricking an employee of the corporation to reveal such items. There are two types of subtests which can be carried out with Social Engineering:

  • Remote testing: This involves tricking an employee to reveal sensitive information via an electronic means. This is often conducted with creating and launching a Phishing E-mail Campaign.
  • Physical testing: This involves the use of a physical means or presence to garner sensitive information. This includes Dumpster Diving, Impersonation, threatening and/or convincing phone calls, etc.

Computer Network Exploitation (CNE) Versus Computer Network Attack (CNA)

In the world of Cyber-attacks, there are two main threats a hacker can pose to a corporation, or for that matter, even a government entity:

  • Computer Network Exploitation
  • Computer Network Attacks.

Computer Network Exploitation (CNE)

With this type of particular threat, a computer network can be used to target a victim computer network, to extract and gain confidential information and data, even highly classified intelligence documents. In other words, the computers, workstations, and servers which reside in the victim network are "exploited" through any means possible.

It should be noted that this type of attack does not typically occur in the corporate sector, rather it is more commonly used within government agencies around the world, especially those of military organizations. CNE is viewed as "spying".

Computer Network Attack (CNA)

With this technique, the goal is to destroy at all costs any information which resides on the computers of the victim network. A CNA is often confused with an Electronic Attack (EA). But in reality, the two are quite different. For example, an EA attack depends primarily upon using the electromagnetic spectrum (such as using an electromagnetic pulse to destroy the RAM of a computer).

But, a CNA utilizes a data stream to execute an attack against the victim network and totally incapacitate it. CNA is viewed as "sabotage". Typical examples of this include the following:

  • Eavesdropping;
  • Data modification;
  • Identity spoofing (also known as IP Address Spoofing);
  • Password-based attacks;
  • Distributed Denial of Service Attacks (DDoS);
  • Man in the Middle Attacks;
  • Compromised key attacks;
  • Sniffer attacks;
  • Application layer attacks.

Become a Certified Ethical Hacker, guaranteed!

Become a Certified Ethical Hacker, guaranteed!

Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.

Summary

In summary, this article provided an overview of what Pen Testing is all about; the testing techniques which are involved; the players which are involved in an actual Pen Test; and examples of major Cyber-attacks. There is no doubt many other methods a corporation can use to fortify its defenses, but it is only a comprehensive Pen Test which will reveal all of the unforeseen gaps and holes in the IT infrastructure. After all, in the end, this is what the hacker will go after first, and exploit them to the maximum possible.

Apart from this, though, utilizing a full Pen Test offers many other powerful benefits, such as:

  • Providing a means to manage efficiently all of the security holes and gaps which become known:

After you discover all of these with a Pen Test, you can then come up with a categorization scheme (or a severity scale) which will allow you to address the most serious vulnerabilities first, rather than taking a "shot in the dark" approach. This also allows for the most appropriate allocation of critical resources to fix these problems.

  • Providing a way in which you can become proactive about maintaining the security of the corporation:

There is no doubt that having a comprehensive, exhaustive Pen Test can be an expensive proposition. But look at this way: The cost of having this done will pale in comparison if an actual security breach were to occur. This could cost anywhere from millions to even billions of dollars.

  • Providing the tools needed to come into compliance:

In today's world, a majority of the Fortune 500 corporations are under the scrutiny of the Federal Government to make sure that they come up to levels which are established my major pieces of legislation. These include HIPAA, Sarbanes-Oxley, etc. If corporations do not meet the minimum requirements set forth, the penalties and fines can be quite severe. By conducting a comprehensive Pen Test, all of this can be avoided.

  • Allowing you to maintain your corporate brand and keep your customers:

Remember, the cardinal rule in sales is that it can take years to build up your brand and your customer base. But this can all be lost within just minutes with a major security breach. By being proactive with conducting a Pen Test, you can avoid any major security mishap, and as a result, your corporate brand and customer base will grow even stronger.

Become a Certified Ethical Hacker, guaranteed!

Become a Certified Ethical Hacker, guaranteed!

Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.

Sources

Ravi Das
Ravi Das

Ravi is a Business Development Specialist for BiometricNews.Net, Inc., a technical communications and content marketing firm based out of Chicago, IL. The business was started in 2009, and has clients all over the world. Ravi’s primary area of expertise is Biometrics. In this regard, he has written and published two books through CRC Press. He is also a regular columnist for the Journal of Documents and Identity, a leading security publication based out of Amsterdam.

You can visit the company’s website at www.biometricnews.net (or http://biometricnews.blog/); and contact Ravi at ravi.das@biometricnews.net.