Overview of Penetration Testing
Penetration testing serves as a fundamental approach to assess IT system security, though it should not be overestimated as a sole solution.
This guidance aims to equip you with the knowledge necessary for the appropriate commissioning and application of penetration tests. It also assists in planning your ongoing security measures, enabling you to maximize the value derived from this significant yet costly operation.
Understanding Penetration Testing
For the context of this discussion, penetration testing is described as: “A technique for obtaining assurance regarding the security of an IT system through attempts to breach that system’s defenses, employing tools and tactics an adversary may use.”
It is important to regard penetration testing as a means to enhance your organization’s vulnerability assessment and management processes, rather than the primary approach to discovering vulnerabilities.
Think of a penetration test as akin to a financial audit. Your finance department monitors daily transactions, while an external audit verifies the effectiveness of the internal procedures.
Optimal Practices in Penetration Testing
Ideally, you should anticipate the vulnerabilities penetration testers will uncover before their findings are disclosed. By having a solid grasp of your system’s vulnerabilities, you can utilize external testing to confirm your assessments.
While highly skilled penetration testers may uncover nuanced issues not detected by your internal processes, this should remain atypical. Always aim to leverage a penetration test report to refine your organization’s internal vulnerability assessment and management strategies.
Insights from a Penetration Test
Penetration tests typically aim to ascertain the level of technical risk stemming from software and hardware weaknesses. The specific techniques, target allowance, prior knowledge afforded to testers, and information shared with system administrators can vary within different testing frameworks.
A well-defined penetration test can instill confidence that the evaluated products and security mechanisms are properly configured according to established best practices and that no widely recognized vulnerabilities are present in the assessed components, at the time of testing.
Which Systems Are Suitable for Testing?
Penetration testing is suitable for identifying risks in operational systems that incorporate products and services from multiple vendors. It can also be effective for internally developed systems and applications.
However, it is not ideal for testing specific products.
Effective Utilization of Penetration Testing
A penetration test can validate that your organization’s IT systems are not susceptible to known vulnerabilities on the day of testing.
It’s not unusual for a year or more to pass between penetration tests, leaving potential vulnerabilities unidentified for extended durations if this is your sole validation approach.
Only qualified and experienced personnel should execute third-party penetration tests. Given that penetration tests cannot be entirely procedural, and an exhaustive set of testing scenarios is unobtainable, the quality of a penetration test heavily relies on the expertise of the testers.
The NCSC recommends that organizations within HMG utilize testers and firms that participate in the CHECK scheme.
Varieties of Testing
Penetration testers can provide a diverse array of testing types. The following list is representative but not exhaustive.
Important Considerations
For scenarios necessitating additional assurance, a specifically tailored penetration test may be beneficial. A qualified penetration testing team can guide you throughout the selection and scoping process in such cases.
Establishing Your Testing Regimen
It is crucial to recognize that planning a penetration test does not warrant the suspension of regular security testing on the target system. Functional testing of security measures should still be conducted.
Evaluating whether defined security mechanisms are operational is not a productive allocation of penetration testing resources.
A functional testing plan should encompass positive tests (e.g., confirming the logon interface appears correctly each time a login is attempted).
Negative testing may form part of your functional testing strategy where applicable expertise exists within your organization (for instance, ensuring that a correct password is necessary for login).
Framework for Penetration Test Engagement
A standard penetration test typically includes phases such as initial engagement, scoping, testing, reporting, and follow-up, with severity ratings assigned to any identified issues.
This model presumes that:
- you seek to understand the impact of an attacker exploiting a vulnerability and the likelihood of that occurring.
- you possess an internal vulnerability assessment and management procedure.
Engaging the External Testing Team
Ensure that the external testing team has the requisite qualifications and skills to assess your IT environment. Highlight any unique systems or requirements (e.g., mainframes, atypical networking protocols, bespoke hardware) during the bidding process so that the teams understand what expertise will be essential.
Article has been taken from ncsc.gov.uk: https://www.ncsc.gov.uk/guidance/penetration-testing
