By Gyorgy Joseph – Cybersecurity Expert and Penetration Tester at Squad
An essential part of security auditing, pentesting (or intrusion testing) is carried out by companies to analyze systems in order to identify vulnerabilities, assess risks, and propose corrective measures. Here is an overview of pentesting and its methodology.
Definition
Pentesting (or penetration testing) is a method that involves analyzing a target by putting yourself in the shoes of an attacker (malicious hacker or pirate). This target can be varied, or even multiple:
- IP,
- application,
- web server,
- entire network.
Why perform penetration testing?
The objectives are clear:
- Identify vulnerabilities in your IT system or application,
- Assess the degree of risk for each identified vulnerability,
- Propose fixes in order of priority.
Thanks to penetration testing, it is possible to assess: the severity of the vulnerability, the complexity of the fix, and the priority that should be given to fixes.
The goal is not malicious, but rather to ensure that these vulnerabilities are real and corrected.
Pentest categories
Penetration tests can be divided into three main categories:
White Box
White box testing begins with all the information available to the IT department. Next, the search for vulnerabilities begins, using various technical tests, such as searching for open ports, application versions, etc.
Grey Box
When performing gray box testing, the auditor has some information about the system being audited. In general, they are provided with a user account.
This allows them to put themselves in the shoes of a "normal user."
Black Box
A black box test means that the person performing the test is in real intrusion conditions: the test is performed from the outside, and the auditor has minimal information about the information system.
This type of testing therefore begins with identifying the target:
- Collection of public information: web pages, employee information, companies with a trusted relationship with the target.
- Identification of points of presence on the internet.
- Network monitoring.
When should you perform a penetration test?
In order to secure the infrastructure or application, penetration testing can be performed at different times:
- during the design of the project, in order to anticipate potential attacks,
- during the usage phase, at regular intervals,
- following a cyberattack to prevent it from happening again.
What is the purpose of a penetration tester?
The pentester's objective is therefore multiple and may vary depending on the context:
- List a set of information, found in one way or another, that may be sensitive or critical.
- Make a list of vulnerabilities or weaknesses in the security system that could be exploited.
- Demonstrate that a potential attacker is capable of finding vulnerabilities and exploiting them to break into the information system. Beyond unrelated vulnerabilities, a real approach aims to identify the presence of an action plan leading from the position of an external attacker to the takeover of the IS or the possibility of carrying out actions (espionage, sabotage, etc.).
- Test the effectiveness of intrusion detection systems and the responsiveness of the security team, and sometimes users (social engineering).
- Provide a final report and presentation on progress and findings to the client.
- Provide guidance and advice on methods for resolving and correcting discovered vulnerabilities.
From IT security audits to penetration testing
A security audit is broader than a penetration test. During a security audit, the organization's overall security is checked, including the disaster recovery plan (DRP), data loss prevention (DLP), compliance with the requirements of a standard (e.g., PCI DSS) or a reference framework, as well as a configuration audit, code audit, and finally a risk analysis (EBIOS, MEHARI, MARION).
The security audit is carried out in several phases, including penetration testing or Pentesting.
A security audit evaluates the security of a system or applicationagainst aset of standards, generally consisting of the company's IT security policy, legislation, standards, references, or current best practices.
Penetration testing evaluates security not against standards, but against actual hacking practices at a given moment in time.
