Features and difference between Security Testing and Pentesting in IT
First of all, security needs to be considered from design. Only by designing a system with security in mind, we could create a security-aware system. But not all the existing projects have been designed in that way, and often security is treated like an optimization to be performed later on. In order to build a secure system we have to know what is the profile of our enemies. Who is the attacker?
An attacker is not necessarily a person, but it is an entity who is trying to obtain illegitimately an asset. In order to understand the previous sentence we need to define some conception.
- Entity: Generally speaking, a system can be attacked by a person directly, or by another system or software, maybe driven by a human being or activated by some user interaction
- Asset: It represents all the kind of resources we want to protect. It could be user information, money, sensitive business data
In order to adopt effective measures, we need to understand how attackers operate, to analyse the steps performed, and try to discover all the vulnerabilities in our system before being discovered and exploited by an external entity. As previously mentioned, we need to act in all the layers involved in a business to obtain an higher level of security, from securing the hardware until adopting security network solution, from securing back-up until implementing a SDL (Security Development Life-cycle) plan, to categorize the information the company treats, to standardize all the process in which sensitive information is involved, to instruct all the people to adopt the process designed. After that, we need to test security of the system by internal, performing internal network scan, static code analyser, application vulnerability scan and to adopt solution before our system reach production environment, so before being exposed to the external. After implementing certain process, we need to evaluate if the processes have been well adopted in both the system and people factors. In order to perform a security test, usually company needs to hire an external team that will emulate the behavior of an attacker. This kind of simulation, is called Penetration Testing, in short PenTest. It includes a huge set of tests, usually performed by an authorized external company, to simulate the operations of an hypothetical attacker in trying to penetrate in a company system. In this perspective, the team in charge of doing the test, will try to compromise the target company system, by gathering information and by eluding the security processes adopted.
Penetration testing consists of a set of systematic procedures performed to gain access to company assets. It can be merely applied on a computer system, but the term usually refers to the verification of the correctness of the security procedures implemented by a company. Penetration Testing, in short PenTesting, involves simulating real attacks to assess the risk associated with potential security breaches. On a PenTest (as opposed to a vulnerability assessment), the testers not only discover vulnerabilities that could be used by attackers but also exploit vulnerabilities, where possible, to assess what attackers might gain after a successful exploitation. As defined by Computer Security Division of NIST, (National Institute of Standards and Technology):
Penetration testing is security testing in which evaluators attempt to circumvent the security features of a system based on their understanding of the system design and implementation. The purpose of penetration testing is to identify methods of gaining access to a system by using common tools and techniques used by attackers. Penetration testing should be performed after careful consideration, notification, and planning.
So penetration tests should be performed by external teams, since that internal ones could have a deeper knowledge of both networks and security procedures in place. It implies the usage of the same tools that would be used by real attackers. It is used to simulate the behavior of an external malicious team that tries to access, with authorization, to the company assets, and to verify that the company is able to defend itself in such situation.
Using simpler words, penetration testing is the process of attempting to gain access to resources without knowledge of user-names, passwords and other normal means of access. To stress the importance of using and following a methodology, it is often beneficial to describe a scenario that helps demonstrate both the importance of this step and the value of following a complete methodology when conducting a penetration test.
The only thing that differentiates a pentester with respect an attacker, is the authorization. Since that the simulation could include the usage of tools restricted by law, it is necessary to have a formal permission for conducting the test in which all the activities will be performed are detailed. The formal permission should include:
- IP addresses to be tested
- Host to not be tested
- List of acceptable techniques and tools
- Time when testing will be performed
- IP address of the machines that will perform the test in order to differentiate the simulated attack from a real one
- Handling of the information collected during the test
The objective of Penetration Test is to have a complete perspective of the level of security imple mented by a company and to verify its response to certain events as intrusion or data corruption. In particular its main benefits are:
- identify the main vulnerabilities of a system, so that an organization can deploy an action plan to implement the defenses according with the priority of the flaws identified
- improve the IT components of an organization since that both networks and software flaws can be identified
- improve the non-IT part of a company, involving people also, in order to limit the information disclosure for each hierarchical level
- reduce the possible financial losses coming from an incident, and in a certain way be prepared in such event, by adopting remedial measures or reactions.