A penetration test (often called a “pentest”) is the act of attacking an IT infrastructure (computers, network devices, applications) with the intention of finding security weaknesses to potentially access the system, its features or data. Compared to a vulnerability assessment, the pentester will try to exploit the discovered vulnerabilities, like a real attacker.
A pentest is conducted using the same tools and techniques used by real attackers but it happens within a legal context where a contract has been signed between the pentester and the company that owns the infrastructure and its data. This contract defines when the tests can be performed and a fixed scope which describes what can be tested. Classic items in a scope are:
- Networks (a DMZ, an internal VLAN)
- Critical services (DNS, Email, remote access)
- People (read more about [Social Engineering]
A pentest can be performed in three different contexts. A “black-box” test is a test with zero-knowledge of the target platform. A “grey-box” test is performed with more access to the infrastructure (ex: credentials to log on a customer portal). The goal is to test what authentication users can do. Finally a “white-box” test is performed with a full knowledge of the platform (access to the configurations, architectures, source code).
A clear scope will help to estimate the time required to perform the pentest and will help to keep a control of the costs. A typical pentest contains the following steps:
- Pre-engagement interactions
- Post exploitation
- Reporting (documentation)
The documentation is a key element of the project. This deliverable will help the customer to have a clear view of the findings and, most important, receive some input to solve them. The findings are always placed in the customer business context and are classified using a matrix like this one:
Why performing an pentest of your infrastructure? Companies would like to have an external opinion about their security level or for compliance reasons. Keep in mind that a pentest is only a snapshot of an infrastructure taken at a time “t”. It must be part of a global security program.