The Three Phases of a Penetration Test
Penetration testing is often used as a catch-all for any type of security service performed by an organization. A true penetration test involves three distinct stages that build upon each other: Scanning, Assessing and Penetrating. It is important to understand the differences to ensure a properly scoped and delivered service. InteliSecure provides services around each of these areas.
Discovery refers to the process of identifying known and potential vulnerabilities and/or unpatched or misconfigured systems. Many tools and techniques are used for this process depending on the environment, infrastructure, application and assessment type.
Discovery provides the attack surface of the infrastructure or application, allowing a tester to target potentially weak areas first and to ensure that coverage is as complete as possible.
Assessment takes the information identified through initial discovery and applies manual effort to validate findings and investigate further areas of interest.
Building on the information collected during discovery, assessments include conducting additional checks and validations. Examples would be confirming that encryption conforms to current best practices or that application cookies are secured and resist tampering.
When conducting an assessment, InteliSecure reduces false positives by validating results up to the point of potentially penetrating the system. Since this is a manual review of collected information, time is spent validating, eliminating and collecting evidence of vulnerabilities within systems for reporting purposes.
Once a vulnerability has been identified and validated, the final stage is exploitation, conducted in accordance with predetermined rules of engagement with a client. This final stage is comprised of a manual attempt to exploit vulnerabilities identified in systems, escalating privileges, gaining control of the network and stealing sensitive data. The real value of a penetration test is shown in this phase and reveals what it would be possible for an attacker to achieve.
Non-Technological Penetration Tests
Penetration tests do not need to be exclusively technological in nature. Additional types of tests include physical and social engineering evaluations.
Physical security assessments attempt to infiltrate an organization’s facilities and information through a variety of means, such as gaining access by evading security measures (e.g. secured doors, motion sensors, checkpoints and other, similar countermeasures).
Social Engineering relates to coercing individuals within an organization to inadvertently grant access to someone not authorized to have such permission. Examples of Social Engineering may include phishing, phone campaigns and impersonation. Social Engineering may be a component of a physical security assessment and layered into the approach.