INTRODUCTION TO PEN TESTING

By 2023, the global cybersecurity market is expected to skyrocketed to $165 Billion from 2011’s $64 Billion. So as the technology is evolving and the complexity of systems are increasing day by day. This leads to more and more vulnerabilities in the systems. The security risks for companies and organizations that work with sensitive data, from public sector or not, are more than evident. In many situations, these entities are not able to understand the extension of the actual complex communication structures and have just a little or no control of them. Malicious actors take advantage of these scenarios and use these vulnerabilities to exploit the victim’s system in order to gain unauthorized access. Moreover, today’s malwares are highly sophisticated and capable of evading any state-of-the-art malware detection tools using code obfuscation and repacking techniques. Therefore, it is better to find out these weaknesses in advance before attacker do. However, assessing the security of an infrastructure is a continues task to understand the risks that persist. This assessing is usually performed through some well-defined security tests. One of the known forms to assess the state of security and reduce security risks is called penetration test. Pen-Test is a process to penetrate into a system or network in order to safely find out the vulnerabilities. It is basically a simulation of a regular attack by a hacker. PT begin by planning the attack, scanning the target system for vulnerabilities, penetrating the security perimeter, and maintain access without being detected. Most importantly you just can’t start doing pen testing a network or application directly, there are procedures to follow before pen testing a resource (Objectives, Limits, Scopes, Justification), what methodology to follow in what scenario, the right tools and last but not least, documenting the findings.
As of today, more and more people are shifting towards the cloud (a term for remote computing resource) has become an inextricable part of modern business. Organizations use cloud-based services such as platform-as-a-service (PaaS), software-as-a-service (SaaS), or Infrastructure-as-a-service (IaaS). These cloud services help organizations expand their scope while minimizing their capital expenditures and labor costs for adding new technology solutions. ‘Cloud’ is revolutionizing how we run applications and services by providing low cost, flexible, and innovative hosting models. However, with the shift to cloud comes with the downsides as well. It is not more secure or less but we can say it’s secured differently or where the responsibility for managing different security components lies. It definitely strengthens a lot of areas whilst presenting new risks in others. So, when adopting cloud solutions, many organizations fail to balance the benefits of the cloud against the cloud security threats and challenges they may face. These cloud security risks need to be properly addressed before a cloud solution is adopted by the organization. In a nutshell, there are components that cloud providers take responsibility for like OS, Applications, Network Traffic, Hypervisor, Infrastructure, physical etc. So, if you’re comfortable with letting cloud providers to take responsibility of than cloud is the best option.

PT METHODOLOGY

There are numerous numbers of Penetration Testing evasive techniques available which entirely depends on how much information you have or given. We can classify PT into three main categories that are White Box, Black Box and Grey Box. All Penetration Testing techniques works on the same principles. First of all, planning and preparation in order to define end goals. Secondly, discovery of the target in order to gain as much information as possible. In the third phase, pen tester tries to infiltrate the environment using network and application tools in order to exploit the vulnerabilities. In the fourth phase, pen tester will document the entire procedure, and the tools used, the weakness found and the remediation to remedy them. In the last phase, pen tester will go back and remove any artifacts used to penetrate the system since real hackers could use them in the future.

Cloud Computing has gone a long way to becoming the most preferred way of accessing software tools, documents and other files over the Internet. Above statistics of its usage shows that during pandemic, cloud usage increased drastically.

Moving forward, Cloud Computing is on the rise and it has given a lot of benefits in context of resources and computation with a huge change to how we manage infrastructure. A shift of paradigm from on-premise hosting of data centers to putting things up in this amorphous blob which we call cloud. Let’s answer the question whether it’s secured or not? It all depends upon how well you configure it as there are scenarios in which hosting application internally would be more secure than hosting it over the cloud. So, you have to figure out the most suitable configuration settings in which the application can run safely than in ordinary case.

Category White Box Black Box Grey Box
Approach Consent Audit Blind Audit Mixed Audit
information Level Network Topology, Asset and Software Inventories Knows Nothing about the target Infrastructure Partial Knowledge
Pros As the tester has the knowledge of the source code, it becomes very easy to find out which type of data can help in testing the application data effectively Well suited and efficient for large code segments, code access is also not required Testing is performed from the point of view of a user or attacker rather than a developer and also it allows prioritize testing
Cons Costs are increased as the skilled tester is needed for it Limited coverage, since only a selected number of test scenarios is actually performed It’s not ideal for algorithm testing and also, it’s redundant as it’s time consuming