The first rule of penetration testing agreed upon by all authorities is that it’s only useful after basic security measures have been put in place. The testing has to form a part of an ongoing plan for managing and improving an organization’s security plans.
Effective penetration testing is typically incorporated into a rigorous Risk Management Framework as part of a larger ongoing security process
There are four fundamental categories for penetration testing:
1) Whitebox Testing
Whitebox testing starts by equipping testers with comprehensive knowledge of the systems they’re testing. They understand the design, configuration, addressing, and in some cases even the source code of the security system before attempting to break it. The value of a whitebox penetration test is that it simulates a worst-case scenario where the organization is attacked by antagonists who have an intimate understanding of the security system.
2) Blackbox Testing
Blackbox testing is the most archetypal form of penetration testing. Here, the tester is attempting to impersonate a hacker without any knowledge of the system being tested outside of the experiential information an attacker would gather in the course of attempting to crack the system. The purpose of blackbox testing is to identify exploitable weaknesses that any outside party could take advantage of, with a particular emphasis on uncovering security threats that derive from whatever information an organization makes public.
3) Graybox Testing
As suggested by its name, graybox testing is intended to fall between whitebox and blackbox penetration. Testers are given a sampling of “inside” information in order to begin their attack. Typical information provided includes IP addressing information, network diagrams, and basic user-level access. Here, the purpose of the exercise is to simulate specific insider threats. Graybox penetration testing reveals what sort of vulnerabilities a trusted member of the organization could exploit with malicious intent.
4) Red Team / Blue Team Testing
The Red Team/Blue Team name is borrowed from the military, and the security testing it describes is broadly analogous to a wargame. Red Team testing involves both a penetration team attempting to break a security system and an IT team actively diagnosing and opposing their efforts. Because it concentrates on an organization’s responses to security threats, proper Red Team testing delivers a comprehensive review of an organization’s information security. It tests security procedures, detection abilities, incident handling, physical security, and more. Full Red Team testing frequently opens up every possible avenue of attack as “fair game” to identify even the most unanticipated “left field” vulnerabilities.
If you want to read deeper in to this then take a look here.
However your organization chooses to implement penetration testing, these eight tips are broadly applicable and help to ensure that your testing process is effective:
1) Test regularly from both outside the network (e.g. attacks through the internet or the organization’s wireless communications) and inside the network. Proper penetration testing can and should simulate both outside and insider threats.
2) Special accounts (user, admin, or system) created for penetration testing need to be subjected to an extreme level of scrutiny and control. Their purposes should be firmly defined and all activity on them should be checked for legitimacy. Penetration testing accounts should be removed or restored to normal once testing is complete.
3) Include Red Team exercises in the testing schedule in order to assess organizational effectiveness at identifying and stopping attacks. Red Team testing exposes and quantifies how an organization responds to security threats, one of the most difficult qualities to assess in information security.
4) Thorough penetration testing should include compromising system information and the sort of artifacts that might give attackers insight into security procedures. Examples include network diagrams, reports from older security tests, configuration files, documents containing passwords, and other sorts of system-critical information.
5) Penetration tests need clear goals. Testers should be assigned a target asset or a specific machine to attempt to compromise. To be truly realistic, testers need to be free to orchestrate “blended” attacks which combine multiple techniques. Web and network exploitation, for instance, might be combined with social engineering. Testing that incorporates multi-vector and pivoted attacks delivers a truly accurate portrayal of the risks an organization faces and how it would respond to their exploitation.
6) Penetration testing should be combined with vulnerability scanning for maximum effectiveness. The results of vulnerability scanning should be used to guide future penetration testing.
7) Construct a consistent scoring system for Red Team tests so that the results of multiple tests can be compared.
8) Include production environments in penetration testing. Make sure to test the security of control processes like supervisory access and data acquisition to expose vulnerabilities that might otherwise pass unnoticed.