The 5 Phases of Penetration Testing You Should Know
Rampant as rampant can be, not a day goes by that we don’t hear cases of enterprise data breaches and ransomware attacks making headlines in the region or globally. Often, the inevitable has already happened before management acknowledges the incident. By then, the compromised data is already being sold or exposed in the dark web.
Organisations are now fully aware that running a business operation – especially when handling customer data – requires the implementation of comprehensive security assessments. These measures are no longer just nice to have, but a necessity. It’s not only the burden of bearing hefty penalties that puts onus on organisations to firm up their security controls and tighten the systems handling sensitive data. It’s also the probability of losing customer and stakeholder trust, plus losing that competitive edge that get them on their toes.
In Singapore, the Personal Data Protection Commission (PDPC) highlights the importance of implementing a regular vulnerability assessment in the protection of personal data under an organisation’s management. Whether it is to discover the security vulnerabilities lurking in IT systems or to find out the security resilience of their system, there are two approaches that organisations may harness: vulnerability assessment and penetration testing. Before we go into the 5 phases of penetration testing, let’s take a quick look at these two approaches.
Vulnerability assessment is non-intrusive and aims to pull up a prioritised list of security vulnerabilities. In order to pinpoint potential flaws that may be exploited during an attack, an automated and manual scan may be carried out on the IT system or network of an organisation. This systematic but non-intrusive approach allows the organisation to select critical vulnerabilities to handle with regard to their resources at hand.
On the flipside, penetration testing utilises the intrusive approach to identify security vulnerabilities in the IT infrastructure and applications of an organisation. What happens is that penetration testers would try to exploit known security weaknesses to secure access into the IT infrastructure and applications. Doing this simulates a real attack, and would help understand the robustness of the company’s infrastructure in safeguarding sensitive information.
The 5 phases of penetration testing
There are 5 phases of penetration testing, the insights of which can be leveraged to improve your organisation’s security policies and fix detected vulnerabilities.
1. Planning and reconnaissance
This first phase involves identifying the scope and goals of a test, which includes the systems to be checked and the testing methods to be used. This also includes collecting intelligence; that is, the network and domain names, mail server, etc.) to better comprehend how a target operates as well as its potential weaknesses.
By gathering all necessary information to kickoff the penetration testing, the tester can better plan the simulated attack. The process of gathering can be implemented actively, by directly interacting with the target system, or it can be done passively via an intermediary.
In the second phase which goes deeper than the initial gathering stage, the testers attempt to understand how the target application will react to several intrusion attempts. Usually, this is accomplished using:
- Static analysis – involves checking out an application’s code to predict the way it performs while running. These tools can scan the code in its entirety in a single run.
- Dynamic analysis – involves checking out an application’s code while in a running state. Between the two, this is considered a more practical way of scanning, as it offers a real-time view into the performance of an application.
3. Exploitation or getting access
In the third out of 5 stages of penetration testing, web application attacks are activated (e.g. cross-site scripting, SQL injection and backdoors, etc.) to expose the target system’s weaknesses. Testers will then attempt to exploit these weaknesses, usually by escalating privileges, stealing information, intercepting traffic, and more, to understand the extent of damage they can potentially cause.
4. Retaining access
In the 4th of 5 phases of penetration testing, the objective is to check if the vulnerability can be utilised to attain a persistent presence in the exploited network – long enough for a potential bad actor to get in-depth access. The idea behind it is to mimic advanced persistent threats, which typically stay in a system for several months in order to acquire an organisation’s most sensitive data.
5. Covering tracks and generating analysis
The last of the 5 phases of penetration testing is all about compiling the results of the test and then compiling them into a report. The report details the following:
- Specific weaknesses that were exploited
- Sensitive information that was accessed
- The length of time it took the pen tester to remain in the system undetected
The 5 phases of penetration testing are all equally important in the evaluation of a system’s readiness and security against a potential attack. It is to an organisation’s advantage to do this regularly, the frequency of which will depend on the company’s risk appetite as well as the type of sensitive information kept in their system.