Penetration testing is to hacking what the 100 meter sprint is to a multi-day adventure race. They both share a lot of the same goals, namely finishing first, and some of the same skills, such as running, but the differences far outweigh the similarities. Many people mistake penetration testing for hacking and therefore fail to understand the value, or if they are attempting to conduct a pen test they fail to provide real value. And the larger the target system or application the more the differences show.
Processes form the foundation of penetration testing and allow the pen tester to analyze complex systems without missing important elements, overlooking critical correlations, or impairing functionality. Over the years the Aerstone team’s approach to pen testing has evolved to include a number of processes, some manual and other automated, which allow us to rapidly execute tests, organize results, and report findings in a timely and accurate manner.
Process development stems from needs, which are discovered during testing, so it is critical for a junior penetration tester to spend time working with a more experienced tester, or working in a training environment. Some key processes are discovery and target prioritization, two of the first steps that help refine the scope of the engagement and provide the best value to the client. Because penetration testing is a level of effort task (i.e., if you spend enough time on something you can almost certainly find a way in, the question is can you find a way in before the clock expires) it is critical to prioritize testing activities and focus on low hanging fruit first. This will allow for later analysis of more obscure or complicated areas that may or may not prove fruitful.
Aerstone’s discovery process combines a series of manual and automated scans, and weighs the results against experience on hundreds of engagements to determine the most attractive targets. In fact, this is similar to what a hacker does in a so-called “advanced persistent threat” or APT. In an APT scenario, the attacker (or hacker as the media loves to say) is essentially conducting a penetration test, looking for weaknesses and then exploring the most likely vulnerabilities in the organization’s security model.