Infrastructure penetration testing

Infrastructure penetration testing is a generic term covering testing of operating systems, network services, network devices and other targets. Its objective is to identify vulnerabilities and misconfigurations that can be exploited to obtain unauthorised access to data, systems or hosted applications. Specific testing activities and methodologies may differ depending on the scope and objectives of the infrastructure testing engagement but most engagements involve the following stages:

1. Identification and enumeration of targets of testing

2. Reconnaissance and information gathering

3. Identification of vulnerabilities, weaknesses or misconfiguration

4. Testing and exploitation of identified vulnerabilities

5. Post-exploitation activities

6. Reporting and recommendations to address the identified issues

All of the above is performed in strict conformance with the client requirements taking into account the scope and the objectives of testing as well as any applicable technical, legal or organisational restrictions.

Understanding your options

When it comes to commissioning a penetration test you will need to decide whether you require a black, grey or white box penetration test. The type of testing chosen will decide the amount of time and effort required as well as the level of security assurance obtained.

Black box testing is the most widely performed (“standard”) type of testing – it gives basic assurance that is usually sufficient in most cases. White box testing provides the maximum possible assurance as it involves additional testing activities including review of design, architecture and source code, while grey box testing is midway between the black and white box testing in terms of assurance.

The type of testing chosen determines how much time and effort is required and the extent of your own team’s involvement in the testing process: whereas with black box testing your team’s involvement is limited to provision of a test instance of your application or specification of infrastructure to be tested, with grey or white box testing documentation, meetings and access to source code would have to be arranged.

The time required to test particular application or infrastructure depends on its size and complexity, as well as the type of testing: a black box test of a simple application may only require a day, while a white box test of a large and complex application may require a month or more.

Most penetration testing engagements are black box tests and very roughly speaking usually take a week to complete.