Inside IT: What Really Goes Into a Penetration Test

You think your business is safe but is it really? The only way to really know whether your server will resist an internal or external attack is to do a penetration test.

Step 1: Do A Comprehensive Network Assessment

The first step is to do a penetration test, sometimes referred to as simply a “pen test.” A pen test is an application of an attack (a simulated attack) against your company’s servers or other systems.

Sometimes, a security analyst will want to test both internal and external systems, meaning that you will be attacked from within and externally.

Many companies, however, choose to stick to an external threat assessment only. A comprehensive test utilizes both internal and external testing so that all vulnerabilities can be exposed. This external-to-internal pivot method provides good insights into the effectiveness of your company’s layers of security.

If an external phishing attempt, for example, on a single user is ineffective, will another attack from the inside be more effective? If a security analyst can gain access by tricking one employee, will he be able to leverage that exploit to gain access to administrator-privileged areas?

This kind of assessment will tell you how effective your layers of security are.

Step 2: Plan And Structure For Tests

You should treat a pen test just like you would any other technical system rollout. Get your project manager up to speed on what will happen, what will be required from him or her, and the general procedure (which you can obtain from the security analyst doing the test).

Step 3: Do Upfront Planning

Most companies, like Sec-Tec, stress the need for upfront planning when it comes to time. Even with the right resources dedicated to the testing procedure, pen testing requires upfront time to plan out the details of the test, align the goals with management, and review to provide all the required details to the testing team.

You should pay special attention to the pen test team’s pre-test process and request for information. For example, when IP addresses are requested, make sure that you provide them all or some ranges will be missing test coverage and you won’t get an accurate test result.

Step 4: Create A Communication Plan

Communication is important. If the test involves social engineering, decide who will be involved in the test.

Social engineering is a non-technical test protocol. Analysts will attempt to gain access to your system by manipulating employees, vendors, or anyone else who has access to your building, office, or plant. Testing may involve something as innocuous as posing as IT staff, management, or a rank and file employee, to something for devious like manipulating employee property to gain access to your company’s systems.

Step 5: Explore “What If” Scenarios

There are many ways that gaps and holes in your security can appear. A pen test is a great way to find them. Use this time to try various “what if” scenarios. A good pen test will always be able to find vulnerabilities. What you should be looking for are weak points – things to work on.

Step 6: Monitor The Plan

Monitor your plan during the testing procedure. While the test is being done by an external team to test layered defences, you should be documenting which systems, sensors, and teams triggered alerts.

Step 7: Post Pen Testing

After the test is done, there’s more work to do. Your analyst should generate a report for you. But, he or she should also show you ways in which you can improve your security. Most testers will show you vulnerabilities in one report, but then will also show you protocols for closing those vulnerabilities, or reducing the risk they pose to your organization.

Step 8: Report To Management

Management should be part of the pen testing as well as the post-testing procedures. Most companies benefit from having one technical presentation going in-depth with the IT team and a separate, shorter, presentation for all of the middle and upper management.

Step 9: Assess Scope

Pen testing can cover a wide range of vulnerabilities. Don’t limit your test to just the network or external facing systems. If you’re doing this test once a year, you could combine your network test with other tests, like physical access and wireless walk around testing.

Step 10: Test Applications

Even when you’re finished with the server testing, you still have more to do. Any web applications your company builds and maintains should be tested. Why? Because these applications are vulnerabilities too. So, just like with the server tests, you would repeat these steps with every app that your company owns and uses.

At the end of it all, you should have a better understanding of the vulnerabilities your company has – both internal and external.

Jayden Morley is team leader for the IT team of a growing corporation. Always one to keep abreast of industry news he shares his knowledge online by blogging for business and IT related sites.


We will be happy to hear your thoughts

Leave a reply