Penetration Testing: 5 Common Myths Explained

  • Penetration testing helps companies identify weaknesses in their IT environment.
  • In spite of many myths, penetration testing provides valuable insight.

Over the years of my career as a penetration tester, I have encountered many myths and misconceptions regarding penetration testing, some of which I’d like to share with you:

Myth #1: Vulnerability scanning can identify all vulnerabilities in an organization’s environment, and hence, penetration tests are unnecessary.

The vulnerability assessment is the process of identifying weaknesses in an IT environment by means of automated vulnerability scanners. Automated scanners are pre-loaded with “signatures” to detect known vulnerabilities. While known issues reported by vulnerability scanners can be used as initial points of entry into networks, subsequent steps that an attacker could take sometimes cannot be identified. For instance, a vulnerability scanner may detect a system using a default password. A penetration tester could further log into the system using the default password and extract unencrypted sensitive data, believed by the IT personnel to be stored encrypted on the system involved.

Myth #2: Professional penetration testers use expensive commercial tools.

While some tools used by professional penetration testers are commercial, such as automated vulnerability scanners, the majority of the tools are free/open source tools widely available for download. A large number of these tools have been generated by the hacking community who discovered ways to break functionality. These tools greatly simplify the process of exploiting vulnerabilities, making it easy for relatively unskilled adversaries to compromise networks. Penetration testers frequently use the same tools to simulate an attack from a malicious hacker.

Myth #3: One system compromise has no effect on other systems.

Individual systems exploited by penetration testers often serve as pivot points for launching further attacks on other systems on the network. For instance, one common approach is extraction of user credentials from a compromised system and using the extracted credentials to advance inside the network, exploiting the trust relationships that exist among systems.

Myth #4: Penetration testing focuses on production networks containing sensitive data.

Organizations often like to see penetration testing focus on production networks containing sensitive data, excluding other networks containing non-sensitive data, such as development environments, from the scope of a test. Hence, it is not surprising such disregarded environments are often infested with vulnerabilities. If compromised, these networks could put sensitive networks at risk as illustrated by Myth #3, and they should also be periodically tested.

Myth #5: Penetration testers use the same approach and are likely to uncover the same issues.

Despite its seemingly clear-cut approach (identify and exploit), penetration testing on the same network may produce different results when conducted by independent penetration testers. By initially choosing different vulnerabilities to exploit, independent penetration testers may end up exploring different attack vectors in an attempt to compromise the network, and thus, may uncover a different set of issues.

Have you encountered any of these myths or misconceptions about penetration testing? Do you have any experiences you would like to share?

Jennia Hizver Consulting Practice Security Researcher and Consultant AT&T About Jennia