We have a few blogs written on penetration testing. These blogs include information on the steps or phases to properly conduct a penetration test, how penetration tests relate to satisfying SOC 2 requirements, information on how penetration testing compares to vulnerability assessments, and more. Feel free to check out these related blogs:
- External Penetration Testing & SOC 2 Reports: How Are They Related?
- Vulnerability Assessment vs Penetration Testing for SOC 2 Audits
- Vulnerability Scanning: Importance of Vulnerability Scans in SOC 2 Audits
For this blog, I will focus on the different types of penetration testing. This is in effort to help readers understand which type of penetration test may be best suited for their needs when looking into penetration testing services. I will also conclude with context around the types of tools that are used to perform penetration tests.
Why Perform Penetration Testing?
Before outlining the types of penetration testing, I wanted to quickly touch on the purpose of a penetration test and the value provided from a properly conducted test. Penetration testing is an important part of understanding an organization’s ability to prevent both unauthorized and malicious actors from accessing company resources. Penetration testing is a type of system test where the party conducting the testing is trying to break into a system to see if unauthorized access is possible. The results of a penetration test should be a detailed report to understand where network and system weaknesses lie to be able to remediate them to prevent an actual attack by malicious external parties.
How Many Types of Penetration Tests are There?
There is not just one type of penetration test that can be performed. There are actually various types of penetration tests that can be utilized based on the scope of any particular engagement with a penetration testing third party. This is not a definitive list, but this section will focus on the following types of penetration tests, along with a brief overview of each: External, Internal, Web Application, Social Engineering, and Physical.
- External – An external penetration test is conducted by an external third party with (usually) no knowledge of an organization’s network. The external tester will utilize tools to perform reconnaissance activities with software tools to gain information with regard to existing vulnerabilities that could be used to exploit a system.
- Internal – An internal penetration test is conducted from within an organization’s network. With this type of test, the objective and focus are to determine what a malicious actor could do if they are inside the internal network in an “assumed breach” state after successfully gaining unauthorized access. Once inside the network, the tester could use various techniques to attempt to see what data can be extracted, attempt to increase their level of access to an administrator, and/or access to traffic between systems, etc.
- Web Application – A web application penetration test focuses on web applications and databases. Scans can detect improperly coded applications which can then be compromised to gain unauthorized access. To further add, the OWASP is a resource that provides education and information for developers to secure web applications. The OWASP site outlines the Top 10 Application Security risks, descriptions of each, and details on how to prevent and protect against each as well.
- Social Engineering – A social engineering penetration test is used to trick and deceive individuals typically through a false sense of authority or trust; all for the purposes of gaining access to the target information. This type of penetration test bypasses network security altogether by exploiting human weaknesses. A key way to help prevent successful social engineering attacks is through a properly implemented security policy and security awareness training programs in order for staff to be able to detect suspicious activities and requests for information.
- Physical – A physical penetration test is geared at bypassing physical security controls. This can include bypassing badge readers, piggybacking/tailgating, defeating biometric controls, lock picking, etc.
What is the Difference Between Black-Box, Grey-Box, & White-Box Penetration Testing?
Once the type of target or specific penetration test is selected (from those listed above), though not definitive, there are three general categories in which the type of penetration test can be used. These general categories are: white-box testing, grey-box testing, and black-box testing.
What is White-Box Penetration Testing?
White-box penetration testing, also known as Crystal box testing, is a type of test where all knowledge of the environment being tested is provided to the tester.
- What is an advantage of white-box testing?
- A white-box test typically takes less time and is less expensive to conduct than the following two mentioned below (as all upfront systems, network information, and credentials are provided to the tester).
What is Grey-Box Penetration Testing?
Grey-box penetration testing is a type of test where some knowledge of the environment being tested is provided to the tester.
- What is an advantage of grey-box testing?
- Since information is provided upfront, this is a good test to see the harm an insider threat with knowledge of the environment and/or with privileged access (administrator) may be able to cause, if they have malicious intent.
What is Black-Box Penetration Testing?
Black-box penetration testing is a type of test where no upfront knowledge of the environment being tested against, is known or provided to the tester.
- What is an advantage of black-box testing?
- This type of test is seen as the best method to demonstrate a ‘real-world example’ of how an outside attacker would be able to compromise the network or system with no knowledge of a firm’s internal environment.
- What is a potential disadvantage of black-box testing?
- This type of test is more time-intensive than the grey-box and white-box testing due to the time required for the tester to perform reconnaissance on the environment; which would be not in-scope in the other two types noted above.
More details on the specific types of testing these methodologies can be found here. The penetration tester should be able to provide details on which type of test may best suit the engagement based upon various factors such as: objectives, time, and cost limitations or requirements.
Penetration Testing Phases & Type of Penetration Test Tools
First, I would like to highlight the general key steps to a penetration test which are generally categorized as follows: planning, scanning + vulnerability identification, exploitation, reporting, remediation, and rescanning. The rest of this blog will be focused on the “scanning + vulnerability identification and exploitation” step covering the tools used to conduct and address this phase.
What are Penetration Testing Tools?
Penetration testing tools refer to software utilized to perform penetration testing activities. There are various tools that can be used to perform penetration testing. Possession and use of the tools will require permission from management and require an approved business use case. Outlined below are some of the types of penetration testing tools used by testers.
Type of Penetration Testing Tools
- NMAP – is a free network scanner that supports a large number of scanning techniques. The tool is used to query open ports to determine which applications are running. It also provides other details a malicious actor can use to identify vulnerabilities to exploit. Not only can it scan single applications, but NMAP is also used to scan entire networks to provide information on all hosts within a network that can be attempted to be exploited through open ports. More details on how NMAP works can be found here.
- Metasploit – is a type of exploitation tool. It can exploit a vulnerability on a system and provide access to the actor running the tool. More information on Metasploit can be found here.
- Meterpreter – is the payload or code that executes when an exploit is found through Metasploit. More details on Meterpreter can be found here.
- C2 Frameworks – There are various types of Command and Control (C2) frameworks that all provide different ways to perform covert communications and other adversary emulation features used by penetration testers. Detailed information on the various C2 Frameworks can be found via a quick Google search.
Essentially, after a penetration test is completed through the use of one or a combination of the tools above (or others), a thorough report that outlines the vulnerabilities and weaknesses is critical. A thorough report is essential in order to be able to understand the issues, and their impacts, and to be able to take the appropriate remediation actions as soon as possible.
There are various types of penetration tests as well as tools used by penetration testers to gain an understanding of the vulnerabilities that exist within a system, network, individual, etc. If you would like more information on how a penetration test can support meeting your IT audit requirements please feel free to reach out and contact us. Additionally, to learn more about our services offered please visit the following links: SOC 1, SOC 2, HIPAA Audits, Royalty Audits, HITRUST, FedRAMP Compliance Certification.
Olivia Refile (CISSP, CISA, CRISC, GSEC, ISO lead Auditor) specializes in SOC examinations for Linford & Co., LLP. She completed her Bachelors of Business Administration, with a concentration in Management Information Systems from Temple University’s Fox School of Business in 2010. Olivia started her career in IT Risk Management in 2010 specializing in internal, external audits as well as IT security risk assessments. Following her time in risk management Olivia moved solely into external IT Audit and is currently dedicated to performing SOC 1 and SOC 2 examinations.