I have been involved in planning, organising, and managing penetration tests in various environments, and I often find the purpose of such exercises are sometimes being misunderstood. Penetration testing is a discipline whereby certain risk scenarios are put to the test by someone (or a team of people) with a suitable level of knowledge and competence that can identify vulnerabilities and security weaknesses, and how they can be exploited (and maybe exploited in real life).
Many penetration tests focus on the unauthenticated “hacker” from the Internet i.e. what can an external person with no credentials do to gain unauthorized access to a network, systems, or information. However, sometimes these tests focus on the inside.
In these tests, it is often customary to provide the tester with some level of access, yet I have sometimes been asked why Penetration Testers need to be given credentials; surely a good penetration tester could just “hack in.” In addition, if the tester is being given credentials, then their “findings” are not really findings and there is no value in such testing.
The statement above would be a perfectly valid one if the point of the test was to see what an unauthorized external individual could do, but to limit our testing to that, it means we are only looking at one risk scenario.
In reality, many attacks happen on the inside of an organisation whether that be through disgruntled employees, or rogue insiders (it does happen! Just do a quick google search surrounding various incidents). Therefore, penetration tests are to see whether people can escalate privileges access systems and data they should not be able to reach, and identifying internal vulnerabilities are essential.
In this case, the tester should be treated just like an employee for the scenario to be realistic. Providing them with the same standard access as the relevant employees in the risk scenario, allows the tester to spend all their time focused on testing the risk scenario.
The key to get the best value out of any penetration testing activity is to first agree on what risk scenarios are to be tested (i.e. are you concerned about the internet based attacker, the malicious insider, the cleaner with out of hours access), then specify the objectives of the test, (i.e. should the test prove/disprove that a certain set of control actually work as expected, or are we testing to see if the IT team detect suspicious activity).
Penetration testing should never be just another tick in a box, or yet another hoop to jump through on a project. Doing so wastes money, leads to confusion, and in some cases creates a false sense of security. If penetration testing is considered as one aspect of control in your security programme and carefully thought through, then an organisation can really get excellent value from skilled testers and can get a view of what security issues need to be addressed and hopefully the question of why they need credentials becomes less of concern.
For this reason, courses like the PECB Certified Lead Pen Test Professional have been developed to address this and many other issues, to give a better understanding to security professionals ,and to provide the needed skills to a professional competent in the field or professional penetration testing. If you want to learn more, you can attend one of our PECB Certified Lead Pen Test Professional training courses.
For more, please visit www.pecb.com/lead-pen-test-professional
About the author: Graeme Parker is an experienced professional in Cyber Security, Risk Management and governance fields with proven experience in implementing and developing effective management systems, and also performing various penetrations testing for small and large organisations. He is the Managing Director of Parker Solutions Group, the PECB representative in the United Kingdom.
If you have any questions, please contact him at: firstname.lastname@example.orgDownload Article