Penetration Testing has many definitions.

  • penetration test, or sometimes pentest, is a software attack on a computer system that looks for security weaknesses, potentially gaining access to the computer’s features and data. This is according to Kevin M. Henry. Penetration Testing: Protecting Networks and Systems. IT Governance Ltd. ISBN978-1-849-28371-7.
  • “A penetration test can determine how a system reacts to an attack, whether or not a system’s defenses can be breached, and what information can be acquired from the system.” This quote is from: The CISSP® and CAPCM Prep Guide: Platinum Edition. John Wiley & Sons.ISBN978-0-470-00792-1
  • Penetration testing is the process of attempting to gain access to resources without knowledge of usernames, passwords and other normal means of access. If the focus is on computer resources, then examples of a successful penetration would be obtaining or subverting confidential documents, price lists, databases and other protected information. As per Sans Institute, the reality is there are many reasons for conducting a penetration test. Aside from the obvious of seeing if your infrastructure is impenetrable, there is also the added value of finding out where you have weaknesses before an ‘attacker” does.

There are two main approaches to penetration testing.

  • External – Can anyone get into my infrastructure from outside of the organization.
  • Internal – Can my employees gain access to areas they are unauthorized to access. Even elevating their access credentials.

Both are important, but a tester must know which one they are testing to be beneficial.

Find out from the client what their main concerns are. Is it the network, systems, applications or other? Are they more concerned with PCI (According to PCI” If you are a merchant of any size accepting credit cards, you must be in compliance with PCI Security Council standards”) and PHI (Protected Health Information as per Health Insurance Portability and Accountability Act of 1996 (HIPAA). Depending on the client the responses will be very different.

According to Sans, “some penetration testers are contracted to find one hole, but in many cases, they are expected to keep looking past the first hole so that additional vulnerabilities can be identified and fixed. It is important for the pen-tester to keep detailed notes about how the tests were done so that the results can be verified and so that any issues that were uncovered can be resolved.

Preparation is key to a great penetration test.

  • What are you testing?
  • Internal or External testing?
  • A clear understanding of the expected areas to cover. Specifically what servers, etc.
  • Detailed notes outlining a Statement of Work
  • Approvals
  • Etc.

Wishing you the best in your Penetration Test!