Kolawole Daramola MBCS, a cloud security professional and a Microsoft Certified Trainer, explores penetration testing. He offers practical advice about good practice and insights into beginning your penetration testing career.
What is penetration testing?
Penetration testing is a process where security professionals try to exploit a system's vulnerabilities. The goal of the process is to ensure that the organisation is aware of vulnerabilities in its system and take action to ensure these flaws are not exploitable by criminals. Obtaining permission from the infrastructure owners before attempting to exploit any vulnerability is essential.
It is a crime to exploit any system vulnerability without the owners' express permission (which could, in some cases, include the data owner, infrastructure owner and similar stakeholders).
Organisations need penetration testing to be done periodically to improve security and comply with regulatory frameworks like HIPAA, PCI and others.
This article aims to demystify penetration testing’s complexities and to make future collaborations between IT professionals and penetration testers run smoothly. In this article, we won’t talk about methodologies; instead, we’ll focus on the standard processes involved, the skills needed and how you could become a penetration tester.
How does penetration testing work?
It is commonly held that penetration testing is done on just software, but that is untrue. Almost any security strategy can be tested with these procedures. For example, the physical security of an organisation's server room can be tested.
Across methodologies, the following processes are undertaken in the same order to conduct a penetration test.
- Planning and reconnaissance: a penetration test starts with defining the scope of the test, stating rules of engagement and signing necessary agreements with the appropriate authority. Reconnaissance involves studying the environment you are attempting to exploit for possible vulnerabilities. This could include using social engineering, dumpster diving and tailgating. You might also begin intelligence gathering on IT infrastructure using tools like NMAP to gain information on a client’s network configuration. The goal of this phase is to ensure everything necessary is captured legally and to find an entry point into the asset to be tested. It is essential not to operate outside the test’s agreed scope and limits: going beyond the agreed scope — possibly attacking a different system — can leave the tester open to potential prosecution under the Computer Misuse Act (1990). The UK Data Protection Act (2018) also limits the types of data that can be used as subjects for penetration tests.
- Vulnerability assessment: in this phase, you identify vulnerabilities in the system or application, looking for possible weaknesses. Some vulnerabilities might be complex to exploit, while others could be comparatively trivial and much less costly in time and effort. A common approach is to research for known and documented vulnerabilities in your testing systems. Another approach is to use software testing apps like Nessus and OpenVAS to access the system. It is good practice to note and rank discovered vulnerabilities in order of exploitability.
- Exploitation: this phase is about acting on the vulnerabilities to get into the system. This might involve using social engineering to dupe system users into revealing useful security information or deploying more complex and technical techniques.
- Post-exploitation: this phase entails maintaining access long enough to make inferences about the system. It is important to note that the time frame for post-exploitation would be as agreed in the scope of the work. When you are done gathering essential details about the system, you must restore the system to its original state. Your work on the system ends once you have restored the system.
- Reporting: reporting is critical in a penetration test. All the work you have carried out needs to be documented in a comprehensive report. This report serves many purposes, the chief of which is to inform system owners about flaws in the system. While your work on the system ends at post-reporting, your work on the penetration test ends once you have submitted the report.
For you
Be part of something bigger, join BCS, The Chartered Institute for IT.
Specific skills are beneficial to your interest in a career in penetration testing. These include:
- Problem solving
- Writing
- Research
- Technical competence in operating systems, scripting language and computer networks
- Analytical skills
A penetration tester is only as good as their tools. Kali Linux is a popular operating system used for penetration testing computer systems. Many other tools come in handy for penetration testing various targets, and learning how to use them helps.
Ethics and penetration testing
Penetration testers are ethical hackers who access systems within agreed frameworks to make them more secure. It is necessary to properly qualify to be a penetration tester before carrying out penetration testing. There are many routes to becoming a penetration tester and resources to help professionals develop such skills. Some of these routes include:
- Formal education: several degree programmes have modules that train students to be penetration testers. Some of these degree programmes could include computer science, advanced computer science, cybersecurity, computer forensics and similar. It may be helpful to look through the course module specifications before applying.
- Degree apprenticeship: you could become a penetration tester by enrolling in a degree apprenticeship in domains that involve penetration testing, such as cybersecurity or digital forensics technician. You can search for apprenticeships on the government website. An excellent place to start is the BCS apprenticeships page which has all the necessary information to start an apprenticeship. BCS also offers support during and after the apprenticeship.
- Certifications: some certifications train you to qualify as a penetration tester. Some of them include CompTIA’s pentest+, EC-Council’s Certified Ethical Hacker (CEH), Offensive Security Certified Professional (OSCP) and GIAC Penetration Tester (GPEN).
Penetration testing is a rewarding and exciting discipline that offers much to the computing profession.
Computing professionals must keep abreast of the latest developments in cyber security. BCS offers a book on penetration testing, and additionally provides support through specialist groups like BCS IRMA (Information and Risk Management Assurance), Cybercrime Forensics and Information Security, and extensive branch networks. These groups organise webinars and other training programs that allow professionals to stay updated on their knowledge and skills.