Explaining the 5 stages of a pen test

Pen Tests are key for organisations to identify security vulnerabilities in their systems, applications and networks. It is always crucial to identify weaknesses before malicious actors exploit them. The outcome of penetration tests should always lead to the patching of security flaws and hardening of digital surfaces.

The 5 Phases of the PenTesting Process

The five penetration testing phases are reconnaissance, scanning, vulnerability assessment, exploitation and reporting. All these are extremely important to assess the security posture of an organisation.

Following is an overview of the main stages of a well planned and executed penetration text.

Reconnaissance

During this phase the pen tester collects as much information as possible about the target system which will be assessed. Information about the network topology, operating systems and user account management are some examples of the gathered information. All this information is used to craft a testing plan (i.e. an effective attack strategy).

The two main methods of reconnaissance are active or passive. In the case of the latter, information is pulled from publicly available sources, whereas the former involves the direct interaction with the target system to get information. It is best practice to use both methods to form a comprehensive picture of the target’s vulnerabilities. The starting point for a good pen test is always the definition of the scope and goals of the test including the systems to be addressed.

Scanning

On successful completion of the reconnaissance phase, the testing team moves on to scanning. The testers use a myriad of tools to identify open ports and check elements such as network traffic on the target system. The more open entry points that are identified the more encapsulating input there is for the subsequent phase. It is always recommended to have human intervention in addition to automatic scanning – to reach the full potential of a penetration test. The scanning is carried out in two modes, namely the static and dynamic state of the system/s.

Vulnerability Assessment

This third step sees the pen tester/s use all the collected data in the first two phases to identify potential vulnerabilities and determine whether they can be exploited by hackers or not. Vulnerability assessments can be carried out in isolation, as a cyber security tool, but it is much more powerful when combined with other pen testing phases.

There are multiple resources available, listing vulnerabilities such as the National Vulnerability Database (NVD) up-kept by the USA government which includes and makes public the Common Vulnerabilities and Exposures (CVE) database. The severity of vulnerabilities is frequently scored using the Common Vulnerability Scoring System (CVSS).

Exploitation

Once all the vulnerabilities have been identified and listed, the tester will proceed to ‘exploitation’. In this phase, the penetration tester will attempt to access the target system and exploit the listed vulnerabilities. A real-life attack simulation takes place and tools such as Metasploit are utilised.

It is regarded by cyber security professionals as the most delicate phase of a full pen test, since the security restrictions are tested with the aim of being bypassed. Testing teams need to be cautious not to compromise or damage the systems and/or data therein, since such systems may be business critical.

This step is commonly exploded in two: gaining access and maintaining access in the system. Typically testers will use tactics such as cross-site scripting, backdoors and SQL injection to tap into the target’s vulnerabilities. In an ethical manner, testers will try to steal data, intercept traffic or escalate (user) privileges. The time in the system without getting caught is recorded; as this showcases how effective the organisation’s defences are.

Reporting

As a final step the tester prepares a report clearly including the pen test’s findings. The objective is to have this document guide organisations to fix any vulnerabilities found in the system – to improve the overall security posture!

The findings include the specific vulnerabilities that were exploited, the sensitive data that was accessed and the time the tester remained in the system undetected.

Reports include the documentation of contextualised vulnerabilities, so that organisations can remediate the security risks. In addition, reports usually include a business impact assessment, technical risk briefing, remediation action list recommendations and other strategic recommendations.

Advantages of Penetration Testing

The key benefits of performing penetration testing include maintaining compliance and adhering to regulatory frameworks to keep an active standard or licence, such as PCI DSS. Preventing cyber attacks and cyber security breaches are also benefits which directly impact reputation, financial performance and confidence levels. Making the organisation less susceptible to hackers’ attacks is a key benefit.
Conducting regular penetration testing helps your CISO and technology professionals keep up-to-date and current on the latest cyber security defence measures.

Engage us to improve your cyber security. Speak to us today to learn more.