Penetration testing, also known as pen testing or ethical hacking:
- Is an advanced, offensive form of security testing designed to provide a deep technical analysis of a target environment’s vulnerability to exploitation and attack.
- Goes beyond basic risk assessment and automated techniques.
- Relies on the expertise of a skilled security professional who follows a test process to conduct an authorized, simulated attack to evaluate security.
- Results in a report listing identified vulnerabilities and recommended mitigations.
Unlike vulnerability scans of U-M networks, which are conducted on a regular basis by Information Assurance (IA), pen tests are more intrusive and involve active exploitation of security vulnerabilities. They are typically performed at the request of business or system owners who want to proactively test a critical system that could be exploited by a real hacker with the objective of generating a roadmap for security remediation. Secure Coding and Application Security (DS-18) strongly recommends pen tests as a secure coding practice for software and application developers with code or applications classified as Restricted or High.
For more information: How to Choose Between Penetration Tests and Vulnerability Scans
Request Penetration Testing
U-M units can request penetration testing for a specific unit target environment from IA.
Testing targets might include websites, applications, infrastructure components, hosting environments, and more.
Contact the ITS Service Center to request a penetration test. An IA staff member will meet with you to determine the test parameters and scope, as well as other details, which will be documented in a Rules of Engagement document.
Test Process
While every test is different, most follow this basic high-level methodology:
- Reconnaissance. The tester will try to find out as much information as possible about the target environment through available sources such as search engines, DNS, mailing lists, and so on.
- Scanning.The tester will use port and vulnerability scanners to discover and fingerprint open ports and services in the environment, as well as to identify potential vulnerabilities in those services.
- Testing.The tester will conduct both automated and manual testing to probe in-scope applications in the environment. The tester may use provided credentials to emulate an authorized user.
- Exploitation. Vulnerabilities detected during testing will be exploited to determine their impact and scope. If possible, the tester will leverage any advantage gained through exploitation to penetrate further into the environment within the defined scope and agreed-upon Rules of Engagement.
Report of Findings
At the conclusion of the agreed-upon test window, the tester will provide a report of findings that includes a list of all vulnerabilities found and validated. Each vulnerability will be assigned a severity level and ranked relative to other vulnerabilities discovered in the environment. A description of the impact of each vulnerability and recommendations for remediation will also be included.
A meeting will be scheduled with the ethical hacker who performed the test to discuss findings and important remediation steps and activities.