Understanding Penetration Testing and how it can save your company from disaster

Sep - 07

Understanding Penetration Testing and how it can save your company from disaster


First and foremost, it is important to understand that your developers did not necessarily build an in-secure application, system or network because of lack of skill. More often developers are focused on the execution of a well-functioning application to facilitate the needs of the business and not necessarily on the security risks associated with cyber-attacks. Just like in any other industry one cannot be a master of all.

A Penetration Test is not an actual cyber attack on your servers but a simulation of it. So, you can rest easy knowing that it will have no effect on your company or your customers. It is a manual and/or automated test that simply checks for any vulnerabilities that are exploitable by cyber criminals also known as “hackers”.

Many cyber attacks can be prevented before they occur or stopped after the incident occurs. Now that you’ve stopped sweating, let’s get into it…

In the context of web application, system and network security, penetration testing is commonly used to test the defenses of your system, such as firewall, web application firewall (WAF), IPS/IDS System, Web, FTP, VPN Servers, and proper configuration of those tools.

Penetration testing involves stress testing of any number of application systems such as APIs, frontend/backend/database servers, third party integrations, and any other network or system capacities to discover any vulnerabilities that can be used to damage the digital property or obtain un-authorized access.

How does Penetration Testing work exactly ?
Penetration testing process can be broken down into the following steps:

1. Pre-Engagement – Define Goals, Scope and Methods for the test
1.1. Identify the target: IP addresses, servers, systems and applications to be tested
1.2. Gather any information from you about the target

2. Intelligence gathering – Gathering data about the target from publicly available sources
2.1. At this stage we want to put ourselves in the shoes of the system intruder and collect as much publicly available information about the target as possible

3. Threat Modelling – Business Asset & Process Analysis
3.1. Attack Motivation Modelling – find the motives for intruders to compromise the system and identify valuable assets

4. Vulnerability Analysis – research, discovery of security issues in target application
4.1. Take the steps necessary to inspect all of the application’s interfaces to see where vulnerabilities may exist. Search is done manually and using automated tools

5. Exploitation – Establishing access to system assets by bypassing security controls
5.1. This step involves simulating intruder activity of bypassing security controls in place to get access to valuable data assets

6. Post Exploitation
6.1. Determining the value of compromised assets
6.2. Maintain access to compromised assets

7. Reporting – risk assessment of each vulnerability & exploit, recommendations on fixing it
7.1. Compile the findings into a report that categorizes each vulnerability derived from simulated attacks
7.2. Present report to you with explanation of business risks and ways to re-mediate them

8. Re-mediation – work with your developers to fix the vulnerabilities in the system

9. Re-test – re-test the system to ensure that vulnerabilities has been patched and same exploits cannot be used again

Rest assured that most attacks are preventable by simply being prepared. It is important to note that your company has a legal, financial and social obligation in preventing any cyber attacks. Cyber criminals do not care whether you are a retail store, financial or payment system or simply a geo-enabled social network. They are always looking to expose your company information or damage your company reputation at any time. Penetration testing is a preventive measure that will help you avoid being hacked.