Penetration refers to a successful, but an unauthorized breach of security perimeter of a computer system. Penetration Testing is done as a part of ethical hacking, wherein the computer network’s security systems are evaluated thoroughly by simulating attacks from malevolent sources, also called the black hat hackers.
The penetration testing process is carried out from point of view of an attacker and thus, involves active exploitations and breaching of system’s vulnerabilities. The potential vulnerabilities, which might arise due to improper or poor system configurations, operational weakness in the various technical counter-measures, software flaws, and/or hardware flaws are identified, analyzed, assessed for their possible impact on computer network, and finally reported to the system owner or administrator with possible solutions. Thus, penetration is usually done to assess a potential attack’s feasibility and evaluate the extent of impact of a successful vulnerability, if identified.
Penetration is an integral component of the comprehensive security audit. The 2 major ways of carrying out penetration testing are – Black Box PenTests and the White Box PenTests. There are several variations, with features of both the primary methods and are often referred to as the ‘Grey Box’ PenTests. Although the Penetration techniques are extremely useful in strengthening any organization’s security systems, they have a lot of risks involved such as slowing down of systems during network scanning, which must be taken care of.
Real-World Scenarios: Most of the security tests, as part of penetration, are done using the OSSTMM, NIST, and ISSAF test methodologies. To avoid any leaking of secured information, standards and certifications followed for penetration tests include the CREST’s certified tester (for infrastructure and web applications) and CREST’s registered tester. Certifications are also provided by IACRB, GIAC, and SANS. Other Penetration standards include OWASP framework, and NSA-IEM, QST & SST schemes of Tiger Scheme.
Example: The PCI DSS follows both ongoing and annual penetration testing to meet security auditing standards.