A penetration test, or a pen test, is a simulated cyber attack against your computer system. It’s purpose is to check for exploitable vulnerabilities. The purpose of this is to identify any weak spots in a system’s defenses.
This is like a bank hiring someone to try to break into their building and get in to the vault. If the ‘burglar’ succeeds, the bank will gain valuable insight in to how they need to strengthen their security.
Usually, outside contractors are brought in to perform the tests. They are often called ‘ethical hackers’ since they are hacking into a system with permission and for a good reason. It is generally best to have a pen test performed by someone with little-to-no prior knowledge of how the system is secured.
Types of pen tests
Open-box pen test
In an open-box test, the hacker will be provided with some information ahead of time regarding the target company’s security posture.
Closed-box pen test
Also called a single-blind test. It’s where the hacker is given no background information besides the name of the target company.
Covert pen test
Sometimes called a double-blind pen test. In this situation, almost no one in the company is aware that the pen test is happening. Not even the IT and security staff responding to the attack. For this kind of test, the hacker will need to have the scope and other details of the test in writing beforehand to avoid any problems with law enforcement.
External pen test
Here, the ethical hacker goes up against the company’s external-facing technology. That’s things like their website and external network servers. Sometimes, the hacker may not even be allowed in to the company’s building. They may carry out the attack from a remote location, maybe even from a vehicle parked nearby.
The main benefit of this method of testing is to simulate a real-world cyber attack. The pen tester assumes the role of an uninformed attacker. External testing tends to be the most expensive kind of testing. This is because of the planning and effort that goes in to them. They can take anything up to six weeks to carry out, and cost over $25,000.
Internal pen test
In an internal test, the ethical hacker performs the test from the company’s internal network. This is useful in determining how much damage a disgruntled employee can cause. The goal of this test is to conduct an in-depth security audit of a business’s systems. The pen tester is seeking as much detail as possible.
As a result, the tests are more thorough because the pen tester has access to areas where an external test cannot, such as quality of code and application design.
The phases of a typical penetration test are Reconnaissance, Scanning, Gaining access, and Maintaining access.
“Hackers” will gather as much information about the target as possible from public and private sources. These sources include internet searches, domain registration retrieval, social engineering, nonintrusive network scanning, and even dumpster diving. Such information helps the pen tester map out the target’s possible vulnerabilities. Reconnaissance can vary with the scope and objectives of the pen test. It might be as simple as making a phone call to walk through the functionality of a system.
Once pen testers gain access to the target, their simulated attack must stay connected long enough to accomplish their goals. This might be stealing or altering data, or abusing functionality. It’s about demonstrating the potential impact.
Why might I need it?
Because of the potentially high cost of a successful cyber attack, simply put. You might not want to wait around for a real-world attack to succeed on your organization. Pen testing exposes holes in a business’s security layer. And it allows security experts to address your security shortcomings, rather than bad actors.
Why is penetration testing important?
|ID and prioritize security risks|
|Intelligently manage vulnerabilities|
|Establish whether existing security programs are working|
|Increase confidence in your security posture|
|Meet regulatory requirements|