Penetration Testing

Penetration testing (pen testing) simulates real-world cyberattacks against systems and infrastructure to identify security vulnerabilities that could be exploited by attackers. Unlike vulnerability scanning (automated), pen testing involves skilled security professionals actively attempting to breach defences.

Types of penetration testing:

• External: Testing internet-facing systems from outside the network
• Internal: Testing from inside the network (simulating an insider threat)
• Web application: Testing web applications for vulnerabilities
• Mobile application: Testing mobile apps and their APIs
• Social engineering: Testing human vulnerabilities (phishing, pretexting)
• Physical: Testing physical security controls
• Wireless: Testing WiFi and wireless network security

Testing approaches:

• Black box: Testers have no prior knowledge of the system
• Grey box: Testers have some knowledge (user credentials, architecture)
• White box: Testers have full knowledge (source code, architecture, credentials)

Penetration testing methodology:

1. Planning and scoping: Define targets, rules of engagement, and success criteria
2. Reconnaissance: Gathering information about the target
3. Vulnerability analysis: Identifying potential weaknesses
4. Exploitation: Attempting to exploit vulnerabilities
5. Post-exploitation: Determining what can be accessed after initial breach
6. Reporting: Documenting findings, risks, and remediation recommendations

Pen testing standards and frameworks:

• OWASP Testing Guide (web applications)
• PTES (Penetration Testing Execution Standard)
• CREST (accreditation for pen testing providers)
• PCI-DSS ASV scanning (for payment processing)

Australian pen testing considerations:

• Use CREST-certified testers for quality assurance
• Ensure testers have appropriate insurance and clearances
• Define scope carefully to avoid disrupting production systems
• Schedule testing during appropriate windows
• Consider both external and internal testing perspectives