CompTIA Pentest+ Certification For Dummies
Book image
Explore Book Buy On Amazon
Penetration testing, also known as ethical hacking, involves an information technology (IT) professional using the techniques a hacker uses to bypass the security controls of a network and its system. A security control is a protection element, such as permissions or a firewall, that is designed to keep unauthorized individuals out of a system or network.

The act the IT professionals are performing is known as a penetration test, or pentest for short (which is where CompTIA’s term, PenTest+, came from). The penetration test follows the process the hacker would take, including the discovery of targets and the exploitation of targets.

ethical hacker © Profit_Image / Shutterstock.com

From a company’s point of view, the ultimate goal of a penetration test is to have an ethical person perform attacks on different assets to determine whether those assets could be penetrated, and if the attacks are successful, what remediation steps a company could take to prevent a real attack from being successful.

For the PenTest+ certification exam, remember that remediation steps within the report are a must for any successful penetration test.

A key point to remember is that the person performing the penetration test — the pentester — is taking the mindset of a hacker and following the process a hacker takes. This involves much planning, as only 10 to 15 percent of the penetration test is actually performing the attacks. Like hacking, penetration testing is 85 percent preparation so by the time the attack is performed, the hacker or pentester is quite sure the attack will be successful. You can compare this process to robbing a bank. A bank robber will spend the most time planning the robbery. When it comes time to rob the bank, the actual act of robbing the bank is done in minutes (or so I hear).

Reasons for a pentest

Why would a company conduct a penetration test? The purpose of a penetration test is to obtain a real-world picture of the effectiveness of the security controls put in place to protect the company’s assets. Instead of taking the word of the security team that configured the security of the environment, you can put the security to the test by having someone take the steps a hacker would take and see if the security holds up. In performing such a test, the pentester can also obtain a list of steps the company could take to prevent real attacks from being successful.

Another reason to perform penetration testing is to be in compliance with regulations. Depending on the industry a company services, organizations may be governed by regulations that require penetration testing to be performed on a regular basis to ensure the security of the organization. For example, companies that collect and store sensitive payment card information are governed by the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS has strict requirements for activities that must be performed to help keep sensitive payment card information secure. Check out “Best Practices for Maintaining PCI DSS Compliance” and “Penetration Testing Guidance” to learn more about PCI DSS compliance requirements.

The following table summarizes two key requirements from the best practices document published by the PCI Security Standards Council. These requirements specify that organizations must perform an annual penetration test and implement any remediation actions identified by the test. Organizations must also perform a network segmentation penetration test every six months to maintain compliance.

PCI DSS Best Practices Requirements
Requirement Title Description
11.3 Penetration testing Perform annual penetration testing against preordinated use cases/attack scenarios and perform remediation actions to address any identified vulnerabilities
11.3.4.1 Six-month penetration testing for segmentation Bi-annual penetration testing conducted for network segmentation controls
Source: PCI Security Standards Council. Best Practices for Maintaining PCI DSS Compliance. January 2019: pp 46-47. Available at www.pcisecuritystandards.org.

The PCI Security Standards Council’s “Penetration Testing Guidance” document gives more detail on compliance requirements such as the fact that you must also perform a penetration test any time major changes are made to the network infrastructure or to applications within the organization (on top of doing annual penetration testing).

The key point here is that compliance requirements could drive the need to perform penetration tests on a regular basis.

For the PenTest+ certification exam, remember the two main reasons to perform a penetration test: (1) to get an accurate picture of the results of an attack, and (2) to be in compliance with industry regulations.

Who should perform a pentest

Now that you know what a penetration test is, the next logical question is who should perform the penetration test? You have two choices when it comes to who performs the penetration test: internal staff or an external third-party company.

Internal staff

Many organizations opt to have their internal security staff perform penetration testing. This is a good idea as it will save money, but you must make sure there is no conflict of interest with the group performing the pentest. You must also make sure the people performing the pentest are qualified to conduct it.

The members of the internal team performing the penetration test should not be part of the team who installed, configured, or manages the systems or networks being assessed. They should also not be the people responsible for implementing the security of the systems, as that is a direct conflict of interest. A separate team should be dedicated to assessing security within the organization and performing the penetration tests.

Companies may also create separate internal teams — a red team and a blue team — to help assess the security of assets within the organization. The red team is an internal security group that performs attacks on company assets, such as a penetration test and social engineering attacks to validate whether there is enough protection on the company assets.

The blue team is the internal security group within the company that is focused on protecting the assets. This includes monitoring the security controls, the intrusion detection systems, and the logs to protect the asset and identify when a security breach occurs.

It is important to note that the red team’s job is to stay up to date on any new attack methods, while the blue team must be current on any new technologies used to protect assets from attacks. The red and blue teams should also meet regularly to update each other on lessons learned so that both teams are fully aware of current attacks and mitigation strategies.

Penetration testing can be a costly affair, so having an internal team can save the company lots of money and allow for more regular pentests.

External third party

Going with a third-party company to perform the penetration test also has its benefits. For example, the third-party company is most likely not familiar with the organization’s environment (as a hacker would not be), so it can provide an even better picture of an attack because the third party would have to discover all the systems (depending on the type of pentest). Using third-party external testers is also beneficial because you have a fresh set of eyes looking at your network and systems. Internal staff have designed the defensive posture based on the attack vectors they are aware of; while external testers may have knowledge of different attack vectors and may take a totally different approach to exploiting systems.

However, using a third-party company also raises some concerns. For example, what are the qualifications of the consultants doing the pentest? And how will the details and results of the pentest be kept confidential? With a third-party company involved, confidentiality can be a bit more challenging than if a company used internal testers.

A final concern is cost. Going with a third-party company can be very costly, as penetration testing is a time-consuming process and requires a specialized skill.

Qualified pentesters

Whether you choose to use internal staff or an external third-party company to perform the penetration test, it is critical you validate the qualifications of the individuals performing the penetration test prior to the engagement.

The first qualification to look for in a pentester is whether or not that person holds industry-standard certifications that prove his or her penetration testing knowledge. For example, you may require that all individuals performing a penetration test have their CompTIA PenTest+ certification.

However, certification is not enough. The pentester should also have prior experience performing penetration testing. Following are some questions to ask when hiring a third-party company to perform a penetration test:

  • Does the penetration testing team have experience with prior penetration tests?
  • Has the pen testing team performed a test against a similarly sized organization before?
  • Does the team have experience with the types of systems and platforms being used by the company?
  • Does the team have experience with network-layer testing (networking systems and configuration)?
  • Does the team have experience with performing application-layer testing, and is it familiar with Open Web Application Security Project (OWASP) Top 10 validation techniques? (OWASP Top 10 is the top ten methods hackers are using to exploit web applications.)

How often a pentest should be performed

There is no concrete answer to how frequently you should perform a penetration test; however, it’s best to perform a pentest annually and after any major change to the infrastructure.

Standards, such as the PCI DSS, state that in order to be compliant, organizations should perform external testing once a year, plus after making any major changes to the network infrastructure or application environments. The PCI DSS also states that you should perform internal testing once a year and after any major changes.

Regular schedule

If your organization is not governed by regulations that dictate when you need to perform a penetration test, you can create your own schedule that works for you. Hiring an external team of penetration testers can be expensive, so one option may be to create a schedule that uses internal staff to test internal and external assets more frequently than an external company. For example, a schedule could look like this:
  • Every 12 months: Penetration testing of internal assets is performed by internal staff.
  • Every 12 months: Penetration testing of external assets is performed by internal staff.
  • Every 24 months: Penetration testing of internal and external assets is performed by a third-party company.

Using internal staff for pentesting can help you reduce costs of the testing while still performing them on a regular basis. However, you should have a third-party company perform a penetration test at some point because it is a great way to get a real-world picture of your assets’ vulnerabilities.

After major changes

You should also perform a pentest after making any major changes to the network infrastructure or application environments, such as upgrades to software. Some examples of infrastructure changes could be adding a new server to the network, replacing a server with a new server, or adding a new network segment. These changes could introduce new ways for hackers to get into the network, so you want to make sure you perform a penetration test to verify all is secure.

In addition, any changes to the software configuration, such as a piece of software being upgraded, should result in a penetration test of that component so that you can verify there are no vulnerabilities in the new software.

For the PenTest+ certification exam, remember that a penetration test should be performed annually and after any major change to the infrastructure.

Other considerations

A few additional considerations should be taken into account related to the timing of pentests. For example, one of the risks of a penetration test is that you could end up crashing a system or network. So, to ensure your pentests are successful in providing you with the information you want, you want to make sure you follow these recommendations when possible:
  • Perform pentests in a mockup environment. When performing penetration testing, you run the risk of crashing systems or networks due to the nature of the attacks. If possible, create copies of systems inside a test environment and perform the penetration test on the test system. It is critical that the test systems are an exact copy so that the penetration test accurately reflects the test of the real system.
  • Perform pentests before deploying the system or application into production. If possible, perform a test before a system or application is put into production. This will help reduce the cost of maintaining the system, as it is more costly to fix security issues once the system or application is live.
  • Perform pentests on a regular basis. Penetration testing is not a one-time thing. For example, if you perform a security test on a web server before it is put in production and you find it is ready for production because all simulated attacks were unsuccessful, it does not mean you do not need to test this system again. You will test the system again during the next annual penetration test.

About This Article

This article can be found in the category: