Penetration testing is a great way to identify the vulnerabilities that exist in a system or network that has existing security measures in place. It usually involves the use of attacking methods conducted by trusted individuals that are similarly used by hostile intruders or hackers.
Depending on the type of test that is conducted, this may involve a simple scan of IP addresses to identify machines that are offering services with known vulnerabilities or even exploiting known vulnerabilities that exist in an unpatched operating system.
Penetrations testing is used to find flaws and vulnerabilities in the system in order to take appropriate security measures to protect the data and maintain functionality.
The objectives of penetration testing are :
- To address the flaws, loopholes, and vulnerabilities in applications, systems, and networks.
- To protect the data.
- To ensure authorized access only.
- To address the vulnerabilities of the system in advance before they can be utilized by unauthorized users.
- To protect the resources.
Penetration testing works by creating an imitated environment that is to create an environment that may be used by an intruder to access the valuable data. Penetrations testing is systematic testing which simulates a security attack that may be performed by the intruders later on.
Therefore, penetration testing is preventive not detective.
It also helps in assisting the higher management in decision-making processes. The management of an organization might not want to address all the vulnerabilities that are found in a vulnerability evaluation but might want to address its system weakness that is found through a penetration test.
Types of Penetration Testing
1. Internal Penetration Testing
2. External Penetration Testing
1. Internal Penetration Testing
Internal penetration testing provides protection from internal threats and ensures that internal users privileges cannot be misused. Usually, organizations rely on the first line of defense to prevent compromise.
An attack may occur through a communication channel, as a result of human error or a software defect in the perimeter.
At this point, the security level of each system adjacent to the compromised host will determine the degree to which the attacker can further penetrate the infrastructure.
Testing is performed on critical systems in the DMZ (Demilitarized Zone) or on the internal network using black box technique.
Testing of the corporate user network may also identify the impact of poor access control, and help to mitigate the impact of a malicious or disgruntled employee.
2. External Penetration Testing
External penetration testing consists of a review of vulnerabilities that could be exploited by external users without credentials or the appropriate rights to access a system.
The assessment will show whether there has been a Return on Investment (ROI) of existing implemented security controls, such as firewalls, intrusion detection, and prevention systems, or implemented applications defenses.
Security – Assessment staff take on the role of an external attacker and attempt to exploit vulnerable systems to obtain confidential information compromise the network perimeter.
One builds scenario utilizing the compromised system as a pivot point to further penetrate the network infrastructure, to demonstrate the potential impact of a successful compromise.