Another post for network security students:
Penetration testing is a simulated attack against an organization using the same information, tools, and techniques available to real attackers. During a penetration test, testers seek to gain access to systems and information and then report their findings to management. The results of penetration tests may be used to bolster an organization’s security controls.
NIST divides penetration testing into four phases:
• Planning
• Conducting discovery
• Executing a penetration test
• Communicating penetration test results
The planning phase lays the administrative groundwork for the test, addressing rules of engagement to finalize during the planning phase, such as:
• Timing: Defining when the test will take place
• Scope: Identifying the agreed-upon scope of the penetration test
• Authorization: Determining who is authorizing the penetration test to take place
The technical work of the penetration test begins during the discovery phase when attackers conduct reconnaissance and gather as much information as possible about the targeted network, systems, users, and applications. This may include conducting reviews of publicly available material, performing port scans of systems, using network vulnerability scanners and web application testers to probe for vulnerabilities, and performing other information gathering.
During the attack phase, penetration testers seek to bypass the organization’s security controls and gain access to systems and applications run by the organization. Testers often follow the NIST attack process. Attackers use the information gathered during the discovery phase to gain initial access to a system. Once they establish a foothold, they then seek to escalate their access until they gain complete administrative control of the system. From there, they can scan for additional systems on the network, install additional penetration testing tools, and begin the cycle anew, seeking to expand their footprint within the targeted organization. They continue this cycle until they exhaust the possibilities or the time allotted for the test expires.
At the conclusion of the penetration test, the testers prepare a detailed report communicating the access they were able to achieve and the vulnerabilities they exploited to gain this access.