Penetration Testing: Types and Phases

Learn what is a penetration testing (pen testing) and which types of them exist from a software tester perspective.

by Christian Perez & Daniel Güidi, Software Testers --

What is a Penetration Testing? Brief Introduction

As time goes by the technological growth increases involving more areas with each growth wave. One thing that is already among us is the IOT (Internet Of Things).

In recent years we have seen more and more IOT devices populating the market as toys, home appliances and more.

The common thought is that as the “smart” devices are not supposed to be used for entering data, users are safe from getting them hacked.

Nothing further from reality.

As the devices are connected to the Internet they expose connection channels where malintended access can be gained. Not only an unauthorized user could get user’s sensitive data (such as credit card numbers, passwords, etc.), also in some cases device’s firmware could be replaced for another modified one to take control over the device.

Imagine an IOT toy that is able to show messages on it’s screen that are selected on a cell phone app.

Kids who are playing with it suddenly start seeing that the toy is showing inappropriate messages to them or in other cases getting strange behaviors that are not supposed to have.

So the fact is that if something can be “connected” it is at some point in risk and vulnerable to attacks. Here is where the Penetration Testing techniques appear to save us from that disaster.

Penetration Testing, also aka Pen Testing or Ethical Hacking is an authorized simulated cyberattack on a computer system, performed to evaluate the security of that system.

The National Cyber Security Center describes penetration testing as the following: "A method for gaining assurance in the security of an IT system by attempting to breach some or all of that system's security, using the same tools and techniques as an adversary might."

The main goal is to identify security vulnerabilities and failures for preventing external attacks.  

Nowadays every company is facing each time more frequently risks  that can affect their systems. Being conscious about this risk is fundamental but sadly not all companies are.

Performing this Ethical hacking is completely legal because companies explicitly allow  pen testers to test the companies system’s security.

In this way pen testers design the testing suites to determine and classify the reach and consequences of security failures.

 These suites are not only designed to gain access though the security systems but to determine which is the probability that an attacker has to gain unauthorized access and also to find other possible ways of vulnerabilities that are not possible to find in a different way.

Pen Testing Types

As you can imagine there are some pen testing types available that follow the traditional testing types, and those are:

White Box Pen Testing

As you can imagine, the White Box Pen Testing refers to a technique that is based on getting all the information about the network infrastructure, app source code and all other relevant data. This gives the pentester to dig deeper. 

The experience shows that the most dangerous vulnerabilities and bugs were not caused by isolated coding errors but by combining several vulnerabilities together in the same attack.

With this approach it is possible to find vulnerabilities and bugs in the application flow that are really difficult to find using automated tools or other testing techniques.

The key to obtain the best of using white box pen testing is  to apply it while the app is still in development rather than when it has been released. 

By doing this it is possible to achieve security by design, conducting the security aspect during the development cycle.

Black Box Pen Testing

As an opposed position of White Box Pen Testing we have the Black Box Pen Testing that consists of doing all the available attempts to get into the system that is under evaluation without having any prior information. 

The idea behind this technique is to act like a hacker trying to find out how to get as an outside attacker discovering the target system step by step. 

A Black Box Pen Test determines the vulnerabilities in a system that are exploitable from outside the network. 

So using this technique the exposed risks can be evaluated and also the type of information that an intruder can get if the attack is successful.

Grey Box Pen Testing

The Grey Box Pen Testing is the penetration testing methodology that consists in the attempt of penetrating the system with only a limited amount of information at hand.

By using this method the system’s vulnerabilities can be determined by the pen tester mimicking an app’s user or a company collaborator.

The pen tester is given credentials to use in the application allowing to move forward to the authentication steps.

This approach is the recommended method to use in applications and sites that have members or customers areas.

Pen Testing Phases

Despite of the selected pen testing type to be applied to a system, the pen test must ensure to cover the following phases in order to get useful information and results:

1. Test planning and reconnaissance

Define the scope and test goals, then gather the information needed to understand the target and its potential vulnerabilities.

2. Scanning

This phase consists of understanding how the target could respond to intrusion attempts. This includes a static analysis by the app code review if available and a dynamic analysis running the application that gives a real sight of performance and behavior.

3. Gaining the Access

This is the effective penetration test, done by using cross site scripting, SQL injection and the use of backdoors.

Pentesters can take advantage of the vulnerabilities by increasing privileges into the system, accessing reserved data, etc. to understand and estimate the damage that an maintentioned attack can cause.

4. Maintaining the Access

The target of this phase is to evaluate if the security hole can be used to repeatedly enter the system the enough time for getting control over it and to steal the company’s sensitive data.

5. Result Analysis

As all the test types should finish, the last desired phase is to get all the pen testing information gathered in one report which the main points are the exploited vulnerabilities, the data that could be obtained during the intrusion, the time that the attacker could spend undetected into the system.

6. Hands On

After the Result Analysis the security professionals should apply all the configurations and systems modifications to get the whole ecosystem secured and the company/user information in the safest possible way.

Conclusion

Now let's open the scope. We started this article with a simple example of a toy that uses IOT, so let’s go further, imagine that in the near future our homes could be populated with all kinds of IOT appliances and even further, imagine IOT applied to industrial robotics or to high tech medical equipment…

Would you trust companies, if at least the basic pen testing techniques exposed here are not applied?

Looking for Software Testing companies?

Devlane is here for you! We work with many companies in the US, providing software solutions in many industries.

We create dedicated development teams and customized software solutions for our clients. MVPs, software testing, blockchain and data engineering are our main areas of expertise.

Let us know if we can help you grow your business. You can leave us a message here and we'll get in touch shortly.