A key fact to know about network penetration testing for beginners: If an organization pays someone to try to break into its network, it typically wants that person to find either zero or myriad faults.
Organizations commonly invest in network penetration testing for compliance, either because testing is mandated or to ensure the network has no undiscovered issues. Another reason that organizations invest in this testing is to gauge their networks’ vulnerabilities. For beginner network penetration testers, critical vulnerabilities to remember are issues with authentication, patching and configuration, according to author Royce Davis.
In his book, The Art of Network Penetration Testing, Davis demonstrates his process of network penetration testing for beginners and enables readers to shadow him in this process. Below is an excerpt of Chapter 1, “Network penetration testing,” which highlights the process from beginning to end to give newcomers an inside look at network penetration testing.
Organizations typically have three common vulnerabilities, which Davis defined as “something attackers can exploit.” Network penetration testing beginners should know the following:
- Authentication. Authentication provides control over one or more systems to end users with proper credentials. Authentication issues include if an organization’s system doesn’t have a password, if the password is obvious or easy to guess, or if the password is the default.
- Patching. A patch is a simple fix for bugs or issues with system functionality. If the information security community is aware of a security bug in a vendor’s product, then hackers are likely aware of it, too, Davis said. An organization may have a patching issue if the IT team didn’t download a patch that the vendor provided to fix the bug.
- Configuration. Configuration typically refers to how a network is arranged, including any hardware and software within the system. One issue with configuration is if the organization has a service with an administrator console and the IT team forgot to turn off that console after deploying the service. If an attacker gained access to that console, the network would be at risk.
These three vulnerabilities are commonly found in all types of businesses — no matter the size, market or years in existence, Davis said. Yet, vulnerabilities aren’t the only reasons why organizations invest in network penetration testing. For beginners, one question to ask organizations before testing is not the what, but the why.
The what — what the tester is there to do — is network penetration testing. The why, on the other hand, could be for compliance, vulnerabilities or something entirely different. Davis said the why is critical to know in order to deliver exactly what the organization wants.