Penetration testing (pen testing), also known as ‘ethical hacking,’ is an important and key step in reducing the risks of a security breach because it helps provide IT staff with an accurate view of the information system from an attackers point of view.
The pen test process results in an active analysis of the system for any potential vulnerabilities that could result from poor or improper system configuration, from both known and unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. In other words, through pen testing, IT teams find the holes and vulnerabilities and quickly work to fix these areas to prevent attacks.
The one thing that separates a pen tester from an outside malicious attacker is permission to gain entry to the information system. The pen tester will have permission to ‘attack’ and is thereby responsible to provide a detailed report of results found. Examples of a successful penetration would be obtaining confidential documents, identity information, databases and other “protected” information – all without the need for passwords or other security measures.
Pen tests are a component of a full security audit. For example, the Payment Card Industry Data Security Standard (PCI DSS), and security and auditing standard, requires both annual and ongoing pen testing (after system changes).
Pen tests are valuable for several reasons, including:
- Determining the risk associated with a particular set of attack vectors
- Identifying higher-risk vulnerabilities that result from a combination of lower-risk vulnerabilities exploited in a particular sequence
- Identifying vulnerabilities that may be difficult or impossible to detect with automated network or application vulnerability scanning software
- Assessing the magnitude of potential business and operational impacts of successful attacks
- Testing the ability of network defenders to successfully detect and respond to the attacks
- Providing evidence to support increased investments in security personnel and technology.
Obviously, there are a variety of ways to secure databases, applications, and networks, as there are many layers and levels to be secured. But the only way to truly assess the security of an environment is through direct testing. A good pen tester can actually replicate the types of actions that a malicious attacker would take, giving IT a more accurate view of the vulnerabilities within a network at any given time. There are a number of high quality commercial tools available, that can be implemented to ensure that both testing parameters and results are high-quality and trustworthy, but nothing replaces a hands-on direct test.
Even so, the quality of pen testing can vary by the skill and thoroughness of the pen tester. Given the limited time available for testing it is impossible to exercise all aspects of an application with all possible attack vectors. This problem is compounded in environments where secure coding practices have started to take root. Often the first phase of secure coding often involves limiting failure feedback to the users to limit the information a hacker has to determine he has discovered a flaw.