A penetration test (pentest) is an authorized simulated cyberattack that evaluates computer system security by identifying vulnerabilities and potential unauthorized access points. This cybersecurity assessment technique helps organizations discover weaknesses before malicious actors can exploit them.
Core Components and Types
A pentest examines systems through three main approaches: white box testing with full system information provided, black box testing with minimal details shared, or gray box testing using limited target knowledge. The UK National Cyber Security Center defines this process as mimicking real-world attacks using adversarial tools and techniques.
Testing Objectives
The primary goals focus on:
- Finding exploitable vulnerabilities
- Assessing potential organizational impacts
- Recommending specific mitigation strategies
Testing Methodology
Five Key Phases
Reconnaissance involves gathering critical target information through open-source intelligence. Scanning employs technical tools like Nmap to identify system characteristics. Gaining access uses gathered data to exploit vulnerabilities, often through tools like Metasploit. Maintaining access establishes persistent system presence. Covering tracks removes evidence of system compromise.
Tools and Frameworks
Popular penetration testing distributions include:
| Operating System | Base Distribution |
|---|---|
| BlackArch | Arch Linux |
| Kali Linux | Debian |
| Parrot Security | Debian |
Historical Development
The concept emerged in the 1960s with the rise of time-sharing computer systems. In 1965, the System Development Corporation hosted one of the first major security conferences where experts requested formal security testing. By 1967, the RAND Corporation and NSA experts formally identified computer penetration as a significant threat.
James P. Anderson, a pioneering security expert, developed the first structured attack methodology in 1971, which included:
- Vulnerability identification
- Attack design
- Testing and execution
- Information exploitation
Modern Standards
Current penetration testing follows established frameworks:
- OSSTMM (Open Source Security Testing Methodology Manual)
- OWASP Testing Guide
- NIST Special Publication 800-115
- ISSAF (Information System Security Assessment Framework)
- PTES (Penetration Testing Execution Standard)
These methodologies ensure consistent, comprehensive security evaluations across different organizations and systems.
Citations:
https://en.wikipedia.org/wiki/Pentest
This article's lead section may be too long. (December 2021) |
A penetration test, colloquially known as a pentest, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system; this is not to be confused with a vulnerability assessment. The test is performed to identify weaknesses (or vulnerabilities), including the potential for unauthorized parties to gain access to the system's features and data, as well as strengths, enabling a full risk assessment to be completed.
The process typically identifies the target systems and a particular goal, then reviews available information and undertakes various means to attain that goal. A penetration test target may be a white box (about which background and system information are provided in advance to the tester) or a black box (about which only basic information other than the company name is provided). A gray box penetration test is a combination of the two (where limited knowledge of the target is shared with the auditor). A penetration test can help identify a system's vulnerabilities to attack and estimate how vulnerable it is.
Security issues that the penetration test uncovers should be reported to the system owner. Penetration test reports may also assess potential impacts to the organization and suggest countermeasures to reduce the risk.
The UK National Cyber Security Center describes penetration testing as: "A method for gaining assurance in the security of an IT system by attempting to breach some or all of that system's security, using the same tools and techniques as an adversary might."
The goals of a penetration test vary depending on the type of approved activity for any given engagement, with the primary goal focused on finding vulnerabilities that could be exploited by a nefarious actor, and informing the client of those vulnerabilities along with recommended mitigation strategies.
Penetration tests are a component of a full security audit. For example, the Payment Card Industry Data Security Standard requires penetration testing on a regular schedule, and after system changes. Penetration testing also can support risk assessments as outlined in the NIST Risk Management Framework SP 800-53.
Several standard frameworks and methodologies exist for conducting penetration tests. These include the Open Source Security Testing Methodology Manual (OSSTMM), the Penetration Testing Execution Standard (PTES), the NIST Special Publication 800-115, the Information System Security Assessment Framework (ISSAF) and the OWASP Testing Guide. CREST, a not for profit professional body for the technical cyber security industry, provides its CREST Defensible Penetration Test standard that provides the industry with guidance for commercially reasonable assurance activity when carrying out penetration tests.
Flaw hypothesis methodology is a systems analysis and penetration prediction technique where a list of hypothesized flaws in a software system are compiled through analysis of the specifications and documentation for the system. The list of hypothesized flaws is then prioritized on the basis of the estimated probability that a flaw actually exists, and on the ease of exploiting it to the extent of control or compromise. The prioritized list is used to direct the actual testing of the system.
There are different types of penetration testing, depending upon the goal of the organization which include: Network (external and internal), Wireless, Web Application, Social Engineering, and Remediation Verification.