What Are the Penetration Testing Steps?
by Sarah Harvey / July 17th, 2019
If your organization or technology hasn’t gone through a penetration test or security testing before, you may not know what to expect. Even if you have, maybe you’re wondering what KirkpatrickPrice’s methodology and stages of penetration testing are. Once you know what to expect, you can probably reap the benefits of the process a bit more.
At KirkpatrickPrice, there are seven stages of penetration testing. Let’s discuss each one so your organization can be prepared for this type of security testing.
7 Steps and Phases of Penetration Testing
Our internal pentest checklist includes the following 7 phases of penetration testing:
- Information Gathering
- Reconnaissance
- Discovery and Scanning
- Vulnerability Assessment
- Exploitation
- Final Analysis and Review
- Utilize the Testing Results
1. Information Gathering
The first of the seven stages of penetration testing is information gathering. The organization being tested will provide the penetration tester with general information about in-scope targets.
2. Reconnaissance
KirkpatrickPrice uses the information gathered to collect additional details from publicly accessible sources.
The reconnaissance stage is crucial to thorough security testing because penetration testers can identify additional information that may have been overlooked, unknown, or not provided. This step is especially helpful in internal and/or external network penetration testing, however, we don’t typically perform this reconnaissance in web application, mobile application, or API penetration testing.
3. Discovery and Scanning
The information gathered is used to perform discovery activities to determine things like ports and services that were available for targeted hosts, or subdomains, available for web applications.
4. Vulnerability Assessment
A vulnerability assessment is conducted in order to gain initial knowledge and identify any potential security weaknesses that could allow an outside attacker to gain access to the environment or technology being tested. A vulnerability assessment is never a replacement for a penetration test, though.
5. Exploitation
This is where the action happens!
After interpreting the results from the vulnerability assessment, our expert penetration testers will use manual techniques, human intuition, and their backgrounds to validate, attack, and exploit those vulnerabilities.
6. Final Analysis and Review
When you work with KirkpatrickPrice on security testing, we deliver our findings in a report format.
This comprehensive report includes narratives of where we started the testing, how we found vulnerabilities, and how we exploited them. It also includes the scope of the security testing, testing methodologies, findings, and recommendations for corrections.
Where applicable, it will also state the penetration tester’s opinion of whether or not your penetration test adheres to applicable framework requirements.
7. Utilize the Testing Results
The last of the seven stages of penetration testing is so important. The organization being tested must actually use the findings from the security testing to risk rank vulnerabilities, analyze the potential impact of vulnerabilities found, determine remediation strategies, and inform decision-making moving forward.
KirkpatrickPrice security testing methodologies are unique and efficient because they do not rely on static techniques and assessment methods. Effective penetration testing requires a diligent effort to find enterprise weaknesses, just like a malicious individual would. We’ve developed these seven stages of penetration testing because we’ve proven that they prepare organizations for attacks and fix areas of vulnerability.
If you want to avoid the consequences of compromised technology while working with an expert ethical hacker, contact us today.
More Penetration Testing Resources
7 Reasons Why You Need a Manual Penetration Test
