Penetration Testing (PT) is a set of activities aimed at achieving a result, which see their main purpose in the controlled violation of the computer security perimeter of a system, software or machine identifiable as “target” or “goal”. By simulating one or more real attacks, as an attacker (lamer or cracker) could actually perform, circumventing the victim’s defences, the operator (ethical hacker) will try to exploit the vulnerabilities of configurations, software or devices to access corporate data and / or take control of the systems to be able to reach trade secrets, bank codes or other information that may be useful trade goods or sources of income.
Proceeding on all the components exploitable by the attacker or networks, systems, applications, people, processes, physical places, the operator tests the degree of logical security of the architecture by exposing it to targeted attacks by simulated threat agents. This activity will allow the company to verify in the field, in a systematic, consistent and repeatable way (if conducted according to a methodology), through multiple attack vectors, if and how the vulnerabilities found are exploitable by an expert attacker.
As in the case of VAs, also in the activity of PT, tools are often used to scan vulnerabilities or other specific tools to analyse web applications and network infrastructures. Specifically, the PTs exploit the vulnerabilities found in order to achieve the final goal. That is the compromise of the system. I would like to clarify that in this type of activity the phase of engagement and definition of the requirements plays a key role, in this phase the perimeter, the objectives and the method of operating are defined.
There are different methods of carrying out the Penetration Test activity, based on the amount of information that the unauthorized subject has accessed, for example:
- White box (authenticated test): simulation of an attack by a user with valid credentials and full knowledge of the target IT infrastructure. Usually the information provided is: network diagrams, IP addresses, system configurations, credentials with different permission levels. This type of test is suggested when it is necessary to evaluate how much damage an attacker or an outsider who has stolen credentials could cause.
- Black box (unauthenticated test): simulation of an attack by an external hacker who acts in order to obtain unauthorized access to systems and exfiltrate or destroy data, or, simply, to cause a disservice. No technical details are provided for this type of test.
- Gray box: constitutes a middle ground between the previous ones; generally, the target IP addresses are provided (and possibly the part of the network scheme to reach them) and the credentials of a user without permissions.It is desirable that the VA and PT activities are carried out together and at least annually, in order to determine the level of vulnerability of the network components exposed to the public, and ensure that the defence measures are adequate in identifying and contrasting all the possible illegal actions.