At TrackIt, we were recently approached by a client that had identified the need to execute a penetration test that would allow them to recognize and fix security vulnerabilities in their IT infrastructure.
The client had already contacted other pen test providers and realized that they were offering far more than what they needed at a commensurately high price. Having already worked with TrackIt in the past, the client sought the TrackIt team’s expertise to execute an “80-20 pen test” i.e. an 80% penetration test at 20% of the cost that would enable them to identify the majority of their security vulnerabilities without having to spend a fortune.
Our aim in the following educational article is to provide readers with a deeper understanding of pen tests, their general importance, the various types of pen tests, and also a list of tools used by the TrackIt team in the execution of the “80-20 pen test”.
A penetration test, also known as a pen test, is an attempt to evaluate the overall security of a company’s IT infrastructure by trying to expose exploitable vulnerabilities. Pen tests are authorized simulated cyber attacks performed to help companies identify and address security issues in their IT infrastructure.
A penetration is typically performed using suites of tools that help identify various security vulnerabilities in computer systems. The following is a list of common penetration testing tools, several of which were used by the TrackIt team to execute the “80-20 pen test”:
There are fundamentally two different types (or approaches) to penetration tests: internal & external. An internal penetration test is conducted based on the premise that the hacker has already gained access to the company’s internal network. Internal pen tests help determine and analyze what hackers can do once inside.
External pen tests are conducted on the premise that the hacker is attempting to gain access to a company’s internal network without internal resources. External penetration testing often involves trying to gather sensitive internal information such as employee email addresses, employee information, etc. through open source intelligence (OSINT) to eventually gain internal network access.
A more sophisticated way of categorizing penetration tests employs a color code to distinguish three different types of pen tests: black-box, gray-box, and white-box.
Black-box penetration testing
In black-box pen testing, the penetration tester assumes the role of a hacker who has no internal knowledge of the system – identical to the scenario explored in external penetration tests. Testers are not provided with any architecture diagrams or source code that’s not publically available. The benefit of black-box pen testing is that it is fairly quick to perform and depends on the penetration tester’s ability to identify and exploit security vulnerabilities from outside.
White-box penetration testing
White-box testing falls on the opposite end of the spectrum from black-box testing. In white-box pen testing, penetration testers are provided with full-access to source code, architecture documentation, and other internal information. The primary challenge of white-box testing is to sift through the huge volumes of data available to identify potential security vulnerabilities. White-box testing, although more time consuming, provides a reasonably comprehensive assessment of both internal and external security vulnerabilities of a computer network.
Gray-box penetration testing
Any penetration test that falls between black-box (where the tester has no internal information whatsoever) and white-box (where the tester has access to all internal information) is a gray-box penetration test. Gray-box pen testers are usually provided with an account internal to the network along with some internal information such as design and architecture documentation. Gray-box penetration tests provide companies with a better assessment of their network security by simulating attacks by someone within the perimeter of a computer system.
A typical penetration test report provides you with the following:
Summary of Findings: An overall assessment of the security of the company’s IT infrastructure.
Security Strengths: A list of positive security measures already implemented by the company.
List of Vulnerabilities: The List of Vulnerabilities provides a company with a high-level overview of the multiple security vulnerabilities that have been exposed in the pen test. These vulnerabilities are accompanied with a Vulnerability Ratings table created based on the CVSS v3 (Common Vulnerability Scoring System Version 3) that helps determine the severity of each vulnerability.
Detailed Analysis of Each Security Vulnerability: A detailed analysis of each vulnerability (evidence of the vulnerability and its impact) is provided in the penetration test report.
Detailed Remedy for Each Security Vulnerability: Detailed remedies for each security vulnerability are included within the penetration test report.
The idea of absolute security is a myth. With modern-day hackers becoming ever so dextrous and ingenious with their approaches and skillsets, absolute certainty in regards to IT security is a luxury companies cannot afford to believe in.
This said, penetration tests like the “80-20 pen test” discussed in the introduction can be an extremely cost-effective way for companies to quickly identify and address a majority of their security concerns without having to spend a fortune. Such pen tests can and will help companies buffer themselves against the most common and most likely security threats.