How to do a Penetration test
Those responsible for local computer networks know how much effort is needed to set them up and maintain them. All components must be configured so that they are functional and up-to-date. The required software must be installed for all user devices, and appropriate access rights need to be defined. The most important task, however, is to develop the appropriate security concept to protect your network against malware. The network size and required security standard will define which measures and elements will be used – from standard software firewalls and anti-virus programs, to more complex hardware firewalls, to solutions with additional components, such as intrusion detection and intrusion prevention systems.
Even when the defense concept is in place, it’s far from over: Regular security tests to check network protection are common practice among larger companies and authorities. Penetration tests (shortened to pen tests), can be used to determine the likelihood of your network, including participating systems, or even individual applications, being attacked. You can then take appropriate measures depending on what the test results find. How are these tests carried out exactly and what do they mean for the existing network?
What is penetration testing?
In the IT sector, a penetration test is a planned attack on a network of any size or on individual computers that aims to uncover any vulnerabilities in the test object. To achieve this, different tools are used to simulate different attack patterns, which are modelled around familiar attack methods. Typical components subjected to pen tests are:
- Network coupling elements such as routers, switches, or gateways
- Security gateways such as firewalls, packet filters, virus scanners, load balancers, IDS and IPS etc.
- Server such as webservers, database servers, fileservers etc.
- Telecommunication systems
- Any type of web application
- Infrastructure installations e.g. control access mechanisms
- Involved wireless networks such as WiFi or Bluetooth
The tests are normally divided into black box and white box testing: With the former, only the address information of the target network or system is available to the penetration testers. With the latter, the testers have extensive knowledge of the systems that are going to be tested. They know information such as the IP address and the software and hardware components being used. Therefore, white box pen tests also cover attack scenarios that are not taken into account by black box tests, such as attacks from well-informed hackers in the company.
Reasons and pre-requisites for a penetration test
In principle, the more valuable your data is, the more threatening an attack is. Authorities and banks that manage a variety of valuable personal customer information are just as attractive to criminals as successful companies that possess valuable data on their servers. However, if you are managing data or projects in your network that aren’t as valuable, you shouldn’t be lulled into a false sense of security. Whether you run a web store or merchandise management systems on a server in the network, run an informative web project with lots of posts, or simply use the network as a work platform, you can also fall victim to hackers who can:
- Paralyze your web projects or work space
- Get their hands on the network user’s valuable passwords
- Infiltrate malware
- Steal log-in data from customer accounts
- Misuse computer systems in your network.
Apart from economic consequences, this can also damage your company’s reputation if customers are affected or the attack becomes public knowledge.
If you choose to perform a penetration test on your network, you shouldn’t carry out the attacks against your own computer system and applications yourself, but rather enlist the help of an expert. The tests require professional competence in the field: penetration tests can possess different intensities and quickly lead to complications or serious damage if performed incorrectly. It is therefore necessary to find the perfect balance between the necessary attack route and exploitation of respective weak points that can be avoided. In addition, an external tester who hasn’t been involved in the network conception, construction, and administration, is favored, since they are impartial and can see things from a different angle.
Any type of penetration testing assumes that you are the owner of the tested network or at least have the appropriate authorization. Cooperating with an external tester is therefore absolutely essential for a contractual arrangement, in which the duration and intensity of the pen tests, as well as data protection measures, and more, are recorded.
Penetration testing: which tools are used?
Since there are so many different kinds of attacks, it makes sense to have lots of different tools available for penetration testing. These include, for example, port scanners, vulnerability scanners, sniffers, packet generators, or password crackers. Many tools have been explicitly developed for security tests in networks and are therefore tailored to specific test areas. While the vast majority of these programs are derived from the open source sector, there are some commercial security applications, which are generally better documented and have comprehensive user support. This can be beneficial, as it is very important for the tester to be able to work out how well the tools work, which is easier for them if application scenarios and possibilities are clearly defined.
There are now extensive tool collections for penetration tests, which were compiled by experienced security experts. These collections often work on the basis of a stable Linux distribution, which can be executed via an external storage medium like a DVD or a USB stick. The advantage of these penetration tests is that all the important tools are preconfigured and ready to use and combined in a single interface. One of the most popular distributions is the Kali Linux distribution, which was first released in 2007.
Penetration test procedure
For successful penetration testing, you first need to create a clear concept. Clarify the components that need to be tested, how long an individual test or review of your entire network should take, and whether you have all the necessary tools at your disposal. This preparatory phase is even more important when you are enlisting the help of an external tester and you plan to carry out a white box test. In this case, it is necessary to reveal all information about your network and participating systems and pass on any existing documentation. The situation is different when it comes to black box tests, since you only need to reveal the target address of the respective test objects.
The actual test procedure can be divided into the following four areas:
- Reviewing the network concept: Even in the preparation stage, a penetration tester can detect inconsistencies or specific weaknesses in the design of the network or in individual components. For example, if multiple applications are configured that have different access groups, they can quickly create complications and present a security risk for the entire network, even if the network and individual hosted programs are adequately protected. Some of these cases can already be settled in the preliminary discussion, while others can only be confirmed by carrying out a practical test.
- Testing the hardening measures: The core element of a secure corporate network is that the systems involved are as durable as possible. During the penetration test, it is also important to check which defense measures are being taken. This includes installed software such as the operating system, system services, or user applications, which should always be up-to-date. If older versions are in because they are compatible with other applications, you need to take alternative precautions to protect your system. In addition, access and authentication requirements for individual systems and programs play an important role. Here the pen test deals with issues such as access rights, password use, and encryption, as well as the question of whether unauthorized people should be denied access. An additional task is to check how existing interfaces and open ports are being used, as well as defined rules e.g. a firewall.
- Search for known vulnerabilities: It generally doesn’t take long until software safety gaps are detected, which is why penetration testers are generally familiar with the investigated test objects’ attack points. Thanks to the version status and patch status, determined during research on the curing degree of the network components, testers quickly know which applications pose a security risk. If many systems are to be analyzed in a short time, using vulnerability scanners can be helpful, although they don’t always provide an accurate result.
- Targeted use of exploits: The tester can only work out whether the discovered vulnerabilities can be exploited or not by using a corresponding exploit themselves. These sequences of commands are usually scripts that are provided by different internet sources, but aren’t always securely programmed. If an unsecure exploit is carried out, there is a risk that the tested application or system will crash and, in the worst case, important data might be overwritten. In this case, the penetration tester should be careful to only use reliable scripts from reliable sources or to forego testing the vulnerabilities.
The tester should make a note of all the steps and results of the pen test. The main areas that they should concentrate on, will be clarified in advance. This way, you have the optimal basis for understanding individual steps and evaluating the situation. Typically, the tester also provides you with accurate assessments of the most vulnerable threats to your network. Based on these priority lists, you can optimize system protection step-by-step. ZDNet recommends conducting a penetration test at least once a year that involves newly discovered vulnerabilities and attack methods.
The pros and cons of complex security tests
Homogeneous computer structures are a thing of the past. Today’s decentralized IT structures – additionally strengthened by the direct connection of partners and customers on the internet – can be the cause of new, daily vulnerabilities and errors. Software creators can sometimes fix these errors quickly, and sometimes it takes a bit longer. For some programs, the support is even turned off, which is why it’s better to be on the safe side and do the same. Firewalls and anti-virus scanners can protect many vulnerable areas from external attacks, but any further errors that occur can quickly reverse the situation. Security scanners are also useful tools, but ultimately not enough for complex networked systems.
This is where penetration testing comes into its own: On one hand, it examines the systems in much more detail than an ordinary security check; on the other hand, the basic goal of these tests is to check how well individual components work together. If you use an external tester for the pen test, you gain an additional opinion and a different view of the underlying security concept. Professional penetration testers are specially trained and perform just as a hacker would. The results often reveal vulnerabilities in your network that you would have probably never discovered otherwise.
However, working with an external tester also comes with risks. You have to assume that there will be internal insight during execution. In addition, there is always the possibility that the penetration test will cause damage that cannot be rectified later, even if you perform the test personally. Also, pen tests that constantly run in the background have the disadvantage that they only provide snapshots of your network systems. Therefore, you should never use a safety structure as an excuse to pass up on common defensive measures, simply because it has been optimized based on a penetration test.
In addition, so-called social engineering is not one of the risks that traditional penetration testing checks. Many companies offer training to help their employees combat these human security gaps. You can find more information on this topic in our social engineering article.