penetration testing phases
The CompTIA PenTest+ certification exam is designed to test your knowledge of performing penetration tests either for third-party clients or for the company that employs you as a security professional. Although the fun part of penetration testing is diving in and trying to bypass the security controls put in place to help protect company assets, you have much work to do before that can happen. You have to make sure you take the time to prepare, which includes defining the goals and restrictions for the penetration test.
In this chapter, you learn about the basics of penetration testing, starting with an overview of penetration testing and penetration testing terminology. You then learn the four major phases to CompTIA’s penetration testing process: planning and scoping; information gathering and vulnerability identification; attacks and exploits; and reporting and communication.
Penetration Testing Overview
Penetration testing, also known as ethical hacking, involves an information technology (IT) professional using the techniques a hacker uses to bypass the security controls of a network and its system. A security control is a protection element, such as permissions or a firewall, that is designed to keep unauthorized individuals out of a system or network. The act the IT professionals are performing is known as a penetration test, or pentest for short (which is where CompTIA’s term, PenTest+, came from). The penetration test follows the process the hacker would take, including the discovery of targets and the exploitation of targets.
From a company’s point of view, the ultimate goal of a penetration test is to have an ethical person perform attacks on different assets to determine whether those assets could be penetrated, and if the attacks are successful, what remediation steps a company could take to prevent a real attack from being successful.
A key point to remember is that the person performing the penetration test — the pentester — is taking the mindset of a hacker and following the process a hacker takes. This involves much planning, as only 10 to 15 percent of the penetration test is actually performing the attacks. Like hacking, penetration testing is 85 percent preparation so that by the time the attack is performed, the hacker or pentester is quite sure the attack will be successful. You can compare this process to robbing a bank. A bank robber will spend the most time planning the robbery. When it comes time to rob the bank, the actual act of robbing the bank is done in minutes (or so I hear).
Reasons for a pentest
Why would a company conduct a penetration test? The purpose of a penetration test is to obtain a real-world picture of the effectiveness of the security controls put in place to protect the company’s assets. Instead of taking the word of the security team that configured the security of the environment, you can put the security to the test by having someone take the steps a hacker would take and see if the security holds up. In performing such a test, the pentester can also obtain a list of steps the company could take to prevent real attacks from being successful.
Another reason to perform penetration testing is to be in compliance with regulations. Depending on the industry a company services, organizations may be governed by regulations that require penetration testing to be performed on a regular basis to ensure the security of the organization. For example, companies that collect and store sensitive payment card information are governed by the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS has strict requirements for activities that must be performed to help keep sensitive payment card information secure. Check out “Best Practices for Maintaining PCI DSS Compliance” and “Penetration Testing Guidance” at www.pcisecuritystandards.org
to learn more about PCI DSS compliance requirements.
Table 1-1 summarizes two key requirements from the best practices document published by the PCI Security Standards Council. These requirements specify that organizations must perform an annual penetration test and implement any remediation actions identified by the test. Organizations must also perform a network segmentation penetration test every six months to maintain compliance.
TABLE 1-1 PCI DSS Best Practices Requirements
Requirement | Title | Description |
---|---|---|
11.3 | Penetration testing | Perform annual penetration testing against preordinated use cases/attack scenarios and perform remediation actions to address any identified vulnerabilities |
11.3.4.1 | Six-month penetration testing for segmentation | Bi-annual penetration testing conducted for network segmentation controls |
Source: PCI Security Standards Council. Best Practices for Maintaining PCI DSS Compliance. January 2019: pp 46-47. Available at www.pcisecuritystandards.org
.
The PCI Security Standards Council’s “Penetration Testing Guidance” document gives more detail on compliance requirements such as the fact that you must also perform a penetration test any time major changes are made to the network infrastructure or to applications within the organization (on top of doing annual penetration testing).
The key point here is that compliance requirements could drive the need to perform penetration tests on a regular basis.
Who should perform a pentest
Now that you know what a penetration test is, the next logical question is who should perform the penetration test? You have two choices when it comes to who performs the penetration test: internal staff or an external third-party company.
Internal staff
Many organizations opt to have their internal security staff perform penetration testing. This is a good idea as it will save money, but you must make sure there is no conflict of interest with the group performing the pentest. You must also make sure the people performing the pentest are qualified to conduct a pentest. (I discuss the qualifications needed by pentesters in “Qualified pentesters” later in this chapter.)
Companies may also create separate internal teams — a red team and