A penetration test is an attack on a system or process to determine the level of protection offered by the system or process. A penetration test can be likened to a test of the security of a building. There are two broad types of attack:
- Random, opportunistic exploitation of an identified weakness (i.e. an unlocked door). It is random in the sense that you may not be a deliberate target. This attack type is relatively easy to mitigate. In fact, we do it instinctively when we check to see if all of the doors and windows are locked before we leave the house.
- Deliberate persistent attack. In this case, you have something someone wants, they have identified and foot-printed your organisation with probes and they have launched a systematic attack on your systems. The success of this type of attack depends heavily on how much time, effort and resources the attacker is willing to expend to get what they want.
Penetration testing follows the process of the deliberate, persistent type of attack in as much as the target has been deliberately selected. The methods used to breach the perimeter will vary depending upon what the client wants checked. For example, if we are checking the perimeter of a building and find an open window, do we just report it, exploit it immediately and stop, or do we exploit it and report all of the possible weaknesses?
Additionally, we have to ascertain whether or not the customer wants us to continue to exploit the successful attack and do something (i.e. steal items) to demonstrate the possible consequences of a successful attack.
Because needs and circumstances vary from client to client, our approach is to initiate the test with a workshop where the client agrees on the objectives and parameters for the test. This includes getting formal authority from the client to undertake the test. Cyphertech will never undertake a penetration test without the appropriate authorisation from the client.