What is a penetration test and why should you arrange one for your system?
A penetration test, also known as a “pentest” is an authorized simulation of attacks on a computer system, to evaluate the security of the system.
Pentests are done with specific threats and goals in mind, so the results can be applied to improve the “real world” security posture of the system being tested. Pentests can augment University Information Security Office (UISO) security reviews and/or network vulnerability scans. A pentest done after remediation of vulnerabilities found during reviews, scans or previous pentests, can help ensure remediation is complete and find additional vulnerabilities not detected during previous scans or reviews.
Some systems, or the data they handle, are covered by regulations or policies that require those systems undergo a penetration test; we may be able to conduct the required testing.
What types of testing does the UISO offer?
We primarily offer network services testing, web application testing and can add some social engineering and physical security testing depending on the type of threats that are a concern and the goals of the testing.
Network services testing focuses on finding and exploiting weaknesses in computer services primarily, but not exclusively, over a network connection. Depending on the goals of the test, this may include some content provided by those services.
Web application testing focuses on find and exploiting weaknesses in websites with interactive elements provided by client side scripting, servers side scripting, or a combination of both.
Social engineering testing focuses on the interaction of people and technology, such as emails and websites that attempt to persuade people to provide information or perform actions that will allow access to restricted systems and resources.
Physical security testing focuses on determining what vulnerabilities and weaknesses can be exploited with physical access to computer system components. To a lesser extent, gaining physical access to computer system components may also be tested, if it is possible to do so without risk to staff or property.
Who may request a penetration test?
Any university department that owns and operates a computer system on Indiana University assets may request a penetration test. It is important to note that only IU owned assets and staff may be part of a penetration test. Currently, we are not able to preform pentests on IT resources in “Cloud” environments such as Azure, AWS, and GCP; although we hope to add this soon.
Preparing for and requesting a pentest
Penetration tests are divided into three main phases: pre-engagement, engagement, and post-engagement. The pre-engagement phase determines what will be tested, what testing will be performed, and when. Before those three things can be determined, it is best to prepare by answering the following questions:
- How well understood is the system to be tested, both technically and operationally?
- What would make compromising the system valuable to an attacker?
- What would the impact to your department, Indiana University, and the users of the computer system be if the system was compromised, or the data it handles were exposed or stolen?
To help answer these questions and provide good documentation of the system to be tested, we've created a list of documentation that needs to be provided before the end of the pre-engagement phase.
Once you are ready to schedule a pre-engagement meeting to discuss the testing being requested and arrange for the engagement phase when all active testing is done, email email@example.com.