Ensuring the security of a system to avoid external threats is certainly very important. In this case, one way that is generally done is to do penetration and testing. Then, what exactly is meant by penetration and testing, and why does this type of testing need to be done to ensure the security of a company’s information system?
In general pentest is to test computer systems against security weaknesses. What is tested certainly depends on the existing system. Example: if the system is only used internally by a company, then only internal ones are tested. If the application can be accessed publicly via a mobile application, then the mobile application also needs to be tested.
Large companies that store sensitive data such as banks certainly do not want the system to be compromised by irresponsible parties and cause huge losses. Therefore, penetration and testing need to be done to identify weaknesses that exist in the system so that it can be fixed as soon as possible before hackers or crackers take advantage of these weaknesses.
1. What is Penetration Testing?
Penetration Testing (abbreviated as pentest) is an activity where someone tries to simulate an attack that can be done against a particular organization / company network to find weaknesses that exist in the network system. The person who carries out this activity is called a penetration tester (abbreviated as pentester). Penetration Testing has official standards as a reference in its implementation. This standard can be seen at pentest-standard.org.
2. Why is Penetration Testing needed?
So why is pentest activity needed? Large companies that store sensitive data (such as banks) certainly do not want their networks to be broken into by irresponsible people who can then take control of the network and cause huge losses. For this reason the company invested funds to strengthen its network system. One of the most effective methods is to do the pentest. By doing pentest, existing security gaps can be identified and thus can be corrected as soon as possible. A pentester simulates an attack that can be carried out, explains the risks that can occur, and make improvements to the system without damaging the company’s network infrastructure.
3. Stages of Penetration Testing
Penetration Testing has a standard (PTES) that is used as a reference in its implementation which is divided into several stages:
The stage where a pentester explains pentest activities that will be carried out to the client (company). Here a pentester must be able to explain the activities to be carried out and the final objectives to be achieved.
The stage where a pentester tries to gather as much information about the target company that can be obtained by various methods and various media. Things that need to be used as a basis in gathering information are: the characteristics of network systems, the workings of network systems, and methods of attack that can be used.
The stage where a pentester seeks vulnerabilities based on information gathered in the previous stage. At this stage a pentester not only seeks security holes, but also determines the most effective loopholes to use.
The stage where a pentester combines information about an existing security hole with an attack method that can be carried out to carry out the most effective attack.
The stage where a pentester attacks the target. However this stage is mostly done by brute force method without having the element of precision. A professional pentester will only exploit when he already knows for certain whether the attacks carried out will succeed or not. But of course there are unexpected possibilities in the target security system. However, before carrying out an attack, the pentester must know that the target has a security hole that can be used. Carrying out attacks blindly and hoping for success is not a productive method. A professional pentester always perfects his analysis first before carrying out an effective attack.
The stage where a pentester manages to enter the target network system and then analyzes the existing infrastructure. At this stage a pentester studies the parts in the system and determines the most critical part for the target (company). Here a pentester must be able to connect all parts of the existing system to explain the impact of the greatest attack / loss that can occur on the target (company).
Reporting is the most important part in pentest activities. A pentester uses a report (report) to explain to the company about the pentesting done such as: what is done, how to do it, the risks that can occur and most importantly is a way to improve the system.
4. Type of Penetration Testing
There are two types of pentest types, namely: overt and covert. Overt pentest is done with the knowledge of the company. Covert pentest is done without the knowledge of the company. Both types of pentest have strengths and weaknesses with each other.
Overt Penetration Testing
At overt pentest, a pentester works together with the company’s IT team to look for as many security holes as possible. One of the advantages is the pentester knows the existing network system information in detail and can carry out attacks without worrying about being blocked. One disadvantage is not being able to test the response of the company’s IT team in the event of an actual attack. When the amount of time in pentest activities is limited, it is more effective to use the overt type.
Covert Penetration Testing
In the covert pentest, a pentester carries out pentest activities without the knowledge of the company. This means that this test is used to test the response of the company’s IT team in the event of an actual attack. Covert tests require more time and greater skill than overt tests. Most professional pentesters recommend covert tests rather than overt tests because they actually simulate an attack that can occur. In the covert test, a pentester will not try to find as many security holes as possible, but will only find the easiest way to get into the system, without being detected.