IT Security: what is a Pen test?

What is the Pen Test and when is it used?

The Pen Test, or Penetration Test is an IT attack used to assess the security level of a system or network. Its main purpose is to identify and indicate any flaws that may lead to vulnerability.

The Pen Test is carried out using a method known as the Open Source Security Testing Methodology Manual (OSSTMM) developed by the Institute for Security and Open Methodologies (ISECOM) and allows the defensive capacity of an internal or external network to be ascertained.

The principal phases of the Pen Test are: target definition, information collection, target enumeration, vulnerability mapping, exploitation of flaws, escalation of privileges, maintenance of access and report preparation.

Pen testers and ethical hackers

Pen testers (or ethical hackers) are professionals who are employed by companies to test the security levels of their devices and systems: if these hackers manage to break through the company’s defences, they offer to help their client eliminate the flaws and make the borders of their systems impenetrable.

Organisations such as SANS, CREST, EC-Council and McAfee Foundstone recognise the most proficient ethical hackers by awarding certifications, which allow them to offer potential clients greater guarantees.

In most cases, the best pen testers write their own codes for the hacking tools they use, so as to avoid the potential risk of code written by others containing malware designed specifically for this purpose by rival hackers.

The ethical hacker must use the information obtained during the so-called exploratory phase in order to exploit the systems’ vulnerabilities and access them without possessing any authorisation (if he does not manage to enter, he should try again using resources from different environments).

Generally speaking, it can be observed that the most capable pen tester is not necessarily the most technically brilliant, but rather the most patient and accurate.

Black Box and White Box:  different approaches to the Pen Test

While many different operational rules can be followed for each Penetration Test, there are basically only two methodological approaches; these are the Black Box (also known as Dark Box) and the White Box.

In the former method, those carrying out the Pen Test are not aware of which technologies are being used by the target organisation.  As well as having to make use of all known hacking techniques, it is also essential to know how to classify the vulnerabilities identified according to their risk coefficient.

In the latter method however, a Penetration Test is used where the person attacking is already familiar with the entire environment to be tested.

The Black Box method costs more in terms of the time and resources required.

The White Box approach is similar to the other one, but is more suited to being incorporated in the installation phases of the software-hardware in order to eliminate any problems resulting from a potential attack right from the start.

Differences between Vulnerability Assessment and Penetration testing

It is important to underline the difference between Vulnerability Assessment and Penetration testing:

• In Vulnerability Assessment all hypothetical vulnerabilities are highlighted, and their potential impact assessed;
• In the Penetration Test all vulnerabilities are identified, all possible public uses are investigated and the focus is on access to the target systems being maintained.

That concludes our brief summary of the Penetration Test: a process which allows the security of company systems to be analysed in order to identify potentially weak areas, thereby strengthening the entire IT infrastructure.

Translated by Joanne Beckwith