Penetration Test Classification
Details on the Topic
One Penetration Test Is Not Just Like Another
Information Base
What information regarding the test network or object is available to the penetration tester when starting the test?
Basically, a distinction is made between tests without any insider knowledge, which are referred to as black box tests, and tests with insider knowledge, referred to as white box tests.
- Black Box: A black box test is a realistic simulation of a typical internet hacker attack. The hacker needs to search for the required information in databases available to the public or enquire it as a non-company member.
- White Box: A white box test simulates the attack of a (former) company member or an external service provider with specific information at hand. The amount of information may range from very basic information such as the knowledge of an employee who has only worked with the company for a short period of time, to very detailed knowledge that e.g. an external IT service provider may gain during the installation of security-relevant systems. For this test type, the penetration tester is given access to the systems to test.
- Grey Box: A grey box test is a mixture of black box and white box tests: the penetration tester is given all information regarding the systems to attack; however, system access is not provided.
Aggressiveness
Which level of aggressiveness does the penetration tester use?
For an appropriate level of distinction, the following four values have been defined:
- Passive: Test objects are only examined passively, i.e. the detected vulnerabilities are not exploited.
- Cautious: Detected vulnerabilities are only exploited if, to the best of the penetration tester's knowledge, a negative impact on the test system can be ruled out. Examples include the use of known default passwords or attempts to access directories on a web server.
- Calculated: Detected vulnerabilities are exploited even if that may impair the system. Examples include the use of automated tools trying out passwords or the exploitation of known buffer overflows on uniquely identified target systems. Before starting the attack, however, the probability of success will be balanced against the impact of the consequences.
- Aggressive: The penetration tester tries to exploit all potential vulnerabilities. The tester e.g. uses buffer overflows on target systems that are not uniquely identifiable or deactivates security systems by overloading the system (denial-of-service attack). The client must be aware of the fact that not only the test system but also neighbouring systems or network components may be caused to crash.
Scope
Which systems are to be tested?
If a penetration test is carried out for the first time, a complete test is recommendable to prevent security flaws of out-of-scope systems from being overlooked. Usually, the required working hours depend on the scope of the test systems. The examination of identical or nearly identical systems can partially be performed automatically within one working step; however, every system needs to be handled individually once configurations differ.
- Focused: A focused penetration test only examines a specific subnet, system, or service. This scope is for instance recommendable if the system environment has been changed or extended. However, this test obviously only provides information about the tested system, but no general statements regarding IT security.
- Limited: A limited penetration test examines a limited amount of systems or services. This may for instance include all systems in the DMZ or systems forming a functional compound.
- Full: A full penetration test examines all available systems. Please note that there may be certain systems, e.g. outsourced and externally hosted servers, that will still be out of scope.
Approach
How "visible" will the penetration test team be?
If the test is to include not only the primary security systems, but also secondary aspects such as an IDS or organisational and personnel structures, e.g. escalation procedures, the penetration test approach needs to be adapted accordingly.
- Covert: In order to examine secondary security systems and existing escalation procedures, a covert penetration test approach should be used, at least in the beginning. This means that research only includes methods that cannot be directly identified as attack attempts.
- Overt: If the covert approach does not set off any responses or if a white box test involving the system manager is to be carried out, overt methods, e.g. extensive direct-connect port scans, may be used. An overt white box test may also involve employees of the client company; this is especially recommendable when testing highly critical systems, as internal employees are able to react quicker to unexpected problems.
Technique
Which techniques are to be used for the test?
A typical penetration test only attacks the test systems via the network. In addition, the systems may also be attacked using other physical attacking methods and social engineering techniques.
- Network-based: The usual approach is a penetration test via the network, which simulates a typical hacker attack. Most IT networks use the TCP/IP protocol; this is why these tests are also referred to as IP-based penetration tests.
- Other communication: Besides TCP/IP networks, there are other communication networks that may also be used for attacks. These networks include phone and fax networks, but also wireless networks for mobile communication, e.g. based on IEEE 802.11 or Bluetooth.
- Physical access: Nowadays, security systems such as firewalls etc. are commonly used, and these systems are usually configured to provide a high level of security, either making an attack through these systems impossible or allowing such attacks with high effort only. Often, it is easier and faster to obtain the desired data by bypassing these systems and using direct physical access. This includes for instance data access from a work station that is not password-protected after having obtained unauthorised access to the buildings and/or server rooms.
- Social engineering: People are often the weakest link in the chain of security systems. This explains the success of social engineering techniques, which exploit employees' insufficient security knowledge or lack of security awareness. These tests may be suitable after the introduction of a general security policy as they can be used to evaluate the level of implementation and acceptance. Misconceptions regarding the effectiveness of policies often produce security risks. If assessed correctly, these risks can be avoided by implementing additional measures. The extent to which these measures may be used must be discussed with the client prior to the test.
Starting Point
Where does the penetration test start?
The starting point of the penetration test is the point where the penetration tester connects their computer to the network or from where the attacks are started. It can be outside of or within the client's network or premises.
- Outside: Most hacking attacks are performed via the network connection to the internet. Thus, a penetration test from outside is able to identify and assess the potential risks of such an attack. Typically, this test includes the firewall and systems in the DMZ as well as RAS connections
- Inside: When performing a penetration test from inside, the tester does usually not need to overcome firewalls or access controls in order to obtain access to internal networks. Thus, this test can be used to assess for instance the effect of an error in the firewall configuration or a successful firewall attack. It can also reveal which data can be accessed by individuals that have access to the internal network.
plan42 Penetration Tests
Are you interested in having a penetration test performed in your company? Please refer to our project procedure how plan42 supports you. Do you have any further questions? Please feel free to contact us.