Editing Penetration test (section)

{{Short description|Authorized cyberattack for testing purposes}}
{{about|testing of computer systems|testing of geotechnical properties of soil|Standard penetration test}}
{{Lead too long|date=December 2021}}
{{Use American English|date=January 2014}}A '''penetration test''', colloquially known as a '''pentest''', is an authorized simulated [[cyberattack]] on a computer system, performed to evaluate the [[security]] of the system;<ref>{{Cite news|url=https://www.doi.gov/ocio/customers/penetration-testing|title=What Is Penetration Testing?|access-date=2018-12-18}}</ref> this is not to be confused with a [[vulnerability assessment]].<ref>{{Cite news |title=What's the difference between a vulnerability assessment and a penetration test? |url=https://qualysec.com/difference-between-vulnerability-assessment-and-penetration-testing/ |access-date=2020-05-21}}</ref> The test is performed to identify weaknesses (or [[vulnerabilities]]), including the potential for unauthorized parties to gain access to the system's features and data,<ref>{{cite book|title=The CISSP® and CAPCM Prep Guide: Platinum Edition|publisher=John Wiley & Sons|isbn=978-0-470-00792-1|quote=A penetration test can determine how a system reacts to an attack, whether or not a system's defenses can be breached, and what information can be acquired from the system|date=2006-11-06}}</ref><ref>{{cite book|isbn=978-1-849-28371-7|author=Kevin M. Henry|title=Penetration Testing: Protecting Networks and Systems|quote=Penetration testing is the simulation of an attack on a system, network, piece of equipment or other facility, with the objective of proving how vulnerable that system or "target" would be to a real attack.|publisher=IT Governance Ltd|year=2012}}</ref> as well as strengths,<ref name="Patterson">{{cite AV media |people=Cris Thomas (Space Rogue), Dan Patterson |title=Password Cracking is easy with IBM's Space Rogue |medium=Video  |url= https://www.techrepublic.com/videos/video-password-cracking-is-easy-with-ibms-space-rogue/|access-date=1 December 2017 |year=2017 |time= 4:30-5:30|publisher=[[CBS Interactive]] }}</ref> enabling a full [[risk assessment]] to be completed.

The process typically identifies the target systems and a particular goal, then reviews available information and undertakes various means to attain that goal. A penetration test target may be a [[White box (software engineering)|white box]] (about which background and system information are provided in advance to the tester) or a [[black box]] (about which only basic information other than the company name is provided). A [[Gray-box testing|gray box]] penetration test is a combination of the two (where limited knowledge of the target is shared with the auditor).<ref>{{Cite news|url=https://www.ncsc.gov.uk/guidance/penetration-testing|title= Pen Testing Types explained |date=2017-06-09|access-date=2018-10-23}}</ref> A penetration test can help identify a system's vulnerabilities to attack and estimate how vulnerable it is.<ref>{{cite web|title=Penetration Testing: Assessing Your Overall Security Before Attackers Do|publisher=[[SANS Institute]]|access-date=16 January 2014|url=https://www.sans.org/reading-room/analysts-program/PenetrationTesting-June06|archive-format=pdf|archive-date=February 27, 2014|archive-url=https://web.archive.org/web/20140227060833/https://www.sans.org/reading-room/analysts-program/PenetrationTesting-June06}}</ref><ref name="Patterson" />

Security issues that the penetration test uncovers should be reported to the system owner.<ref name="SANS Institute">{{cite web|title=Writing a Penetration Testing Report|publisher=[[SANS Institute]]|access-date=12 January 2015|url=http://www.sans.org/reading-room/whitepapers/bestprac/writing-penetration-testing-report-33343}}</ref> Penetration test reports may also assess potential impacts to the organization and suggest countermeasures to reduce the risk.<ref name="SANS Institute"/>

The UK [[National Cyber Security Centre (United Kingdom)|National Cyber Security Center]] describes penetration testing as: "A method for gaining assurance in the security of an IT system by attempting to breach some or all of that system's security, using the same tools and techniques as an adversary might."<ref>{{cite web |url=https://www.ncsc.gov.uk/guidance/penetration-testing |title=Penetration Testing |author=<!-- Not stated --> |date=Aug 2017 |website=NCSC |access-date=30 October 2018}}</ref>

The goals of a penetration test vary depending on the type of approved activity for any given engagement, with the primary goal focused on finding vulnerabilities that could be exploited by a nefarious actor, and informing the client of those vulnerabilities along with recommended mitigation strategies.<ref>Patrick Engebretson, [http://store.elsevier.com/The-Basics-of-Hacking-and-Penetration-Testing/Patrick-Engebretson/isbn-9780124116443/ The basics of hacking and penetration testing] {{Webarchive|url=https://web.archive.org/web/20170104104648/http://store.elsevier.com/The-Basics-of-Hacking-and-Penetration-Testing/Patrick-Engebretson/isbn-9780124116443/ |date=2017-01-04 }}, Elsevier, 2013</ref>

Penetration tests are a component of a full [[Information technology security audit|security audit]]. For example, the [[Payment Card Industry Data Security Standard]] requires penetration testing on a regular schedule, and after system changes.<ref>{{cite book|isbn=978-1-84928-554-4|title=PCI DSS: A Pocket Guide, 3rd Edition|author=Alan Calder and Geraint Williams|quote=network vulnerability scans at least quarterly and after any significant change in the network|year=2014|publisher=IT Governance Limited }}</ref> Penetration testing also can support risk assessments as outlined in the  NIST Risk Management Framework SP 800-53.<ref>{{Cite web|date=2020|title=NIST Risk Management Framework|url=https://csrc.nist.gov/projects/risk-management/sp800-53-controls/release-search#!/control?version=4.0&number=CA-8|website=NIST|archive-date=May 6, 2021|archive-url=https://web.archive.org/web/20210506124402/https://csrc.nist.gov/projects/risk-management/sp800-53-controls/release-search#!/control?version=4.0&number=CA-8}}</ref>

Several standard frameworks and methodologies exist for conducting penetration tests. These include the Open Source Security Testing Methodology Manual (OSSTMM), the Penetration Testing Execution Standard (PTES), the [[NIST]] Special Publication 800-115, the Information System Security Assessment Framework (ISSAF) and the [[OWASP]] Testing Guide. CREST, a not for profit professional body for the technical cyber security industry, provides its CREST Defensible Penetration Test standard that provides the industry with guidance for commercially reasonable assurance activity when carrying out penetration tests.<ref>{{Cite web|date=2022|title=CREST releases guidance on penetration testing|url=https://www.intelligentciso.com/2022/08/12/crest-releases-guidance-on-penetration-testing/|website=IntelligentCISO}}</ref>

Flaw hypothesis methodology is a [[systems analysis]] and penetration prediction technique where a list of hypothesized [[wiktionary:flaw|flaw]]s in a [[software system]] are compiled through analysis of the [[specification]]s and documentation for the system. The list of hypothesized flaws is then prioritized on the basis of the estimated probability that a flaw actually exists, and on the ease of exploiting it to the extent of control or compromise. The prioritized list is used to direct the actual testing of the system.

There are different types of penetration testing, depending upon the goal of the organization which include: Network (external and internal), Wireless, Web Application, Social Engineering, and Remediation Verification.

Even more recently a common pen testing tool called a flipper was used to hack the MGM casinos in 2023 by a group called [[Scattered Spider|Scattered Spiders]]<ref>{{Cite web |date=2024-11-21 |title=5 defendants linked to 'Scattered Spider' hacker group behind 2023 MGM, Caesars cyberattacks |url=https://www.8newsnow.com/news/local-news/5-defendants-linked-to-scattered-spider-hacker-group-behind-2023-mgm-caesars-cyberattacks/ |access-date=2024-12-06 |website=KLAS |language=en-US}}</ref> showing the versatility and power of some of the tools of the trade.