Highly accurate Information Security Testing

What is a Penetration Test?

Posted: August 30, 2014

It’s hard to find an accurate definition of a penetration test, but we can tell you how we view and a penetration test, so let’s get started.

Firstly, we would like to acknowledge the awesome work done by the VERIS team in establishing a framework and common language for security incident event reporting.  It’s critical that the security community is on the same page when describing and dealing with threats. Also thank you to Verizon Business for publishing the always enlightening Verizon Data Breach Investigations Report.  If you haven’t read it, I would strongly recommend you do so, in order to properly understand the threats to your organization.

We love the vocabulary in VERIS and utilize it here, so here’s a brief primer of VERIS.

In analyzing a security incident, VERIS wants to know, “who did what to what (or whom) with what result?”.  They break this down into:

For more detail, please explore the VERIS website.

In a Nutshell

A penetration test is a security test where a specific threat actors and threat actions are emulated to determine the risk to specific assets, and the resultant impact to the organization.

We like to rephrase VERIS’, “who did what to what (or whom) with what result?”, to who could do what to what (or whom) with what result?.  

A good penetration test emulates a variety of threat actors and threat actions, targeting specific assets, and answers questions like:

Risk can be evaluated at multiple layers, but here are the most common layers we evaluate.

A good penetration test team will seek to understand the organization or business drivers so they can properly determine and convey business risk.

The result of a penetration test is an enlightenment of sorts.

The client will know the risk posed to their assets, data, and business at the time of testing.

They will know how their networks, computers, and applications withstand and detect real-world attacks.

They will know the effectiveness of their policies, procedures, and training.

They will know how their security staff respond to real-world attacks.

They will know the impact of any particular vulnerability, and will know the path forward to greater security.

In Summary

This post explored the very basics of what a Shorebreak Security penetration test is – at it’s core, it’s a security test (or set of tests) designed to emulate specific threats to determine risk.  There are many types of penetration tests, ranging from full-scope (test everything, in every way), to more focused penetration tests targeting specific actors or actions.  We will explore more specifics in future posts.