What is a Penetration Test?
It’s hard to find an accurate definition of a penetration test, but we can tell you how we view and a penetration test, so let’s get started.
Firstly, we would like to acknowledge the awesome work done by the VERIS team in establishing a framework and common language for security incident event reporting. It’s critical that the security community is on the same page when describing and dealing with threats. Also thank you to Verizon Business for publishing the always enlightening Verizon Data Breach Investigations Report. If you haven’t read it, I would strongly recommend you do so, in order to properly understand the threats to your organization.
We love the vocabulary in VERIS and utilize it here, so here’s a brief primer of VERIS.
In analyzing a security incident, VERIS wants to know, “who did what to what (or whom) with what result?”. They break this down into:
- actors – the who (external, internal, partner)
- actions – the what (hacking, malware, social etc)
- assets – the next what (device, application, person)
- attributes – the result (confidentiality compromised etc)
For more detail, please explore the VERIS website.
In a Nutshell
A penetration test is a security test where a specific threat actors and threat actions are emulated to determine the risk to specific assets, and the resultant impact to the organization.
We like to rephrase VERIS’, “who did what to what (or whom) with what result?”, to who could do what to what (or whom) with what result?.
A good penetration test emulates a variety of threat actors and threat actions, targeting specific assets, and answers questions like:
- How secure is my network/application/data from…
- my partners that have internal network connectivity?
- my remote employees?
- my employees?
- my system and network administrators?
- physical intruders?
- my users or customers?
Risk can be evaluated at multiple layers, but here are the most common layers we evaluate.
- Risk to assets – what is the risk posed to my assets?
- Risk to data – what is the risk posed to my data?
- Risk to organization or business – what is the risk posed to my business or organization?
A good penetration test team will seek to understand the organization or business drivers so they can properly determine and convey business risk.
The result of a penetration test is an enlightenment of sorts.
The client will know the risk posed to their assets, data, and business at the time of testing.
They will know how their networks, computers, and applications withstand and detect real-world attacks.
They will know the effectiveness of their policies, procedures, and training.
They will know how their security staff respond to real-world attacks.
They will know the impact of any particular vulnerability, and will know the path forward to greater security.
In Summary
This post explored the very basics of what a Shorebreak Security penetration test is – at it’s core, it’s a security test (or set of tests) designed to emulate specific threats to determine risk. There are many types of penetration tests, ranging from full-scope (test everything, in every way), to more focused penetration tests targeting specific actors or actions. We will explore more specifics in future posts.