Penetration testing

What is penetration testing?

Penetration testing is a process that audits the security of a system or network by simulating a cyber-attack. The goal of penetration testing is to safely and legally identify potential points of vulnerability in a system so weaknesses can be addressed before they’re exploited by real attackers. Penetration testers often use the same tools and approaches that attackers use, and test all aspects of the system, including hardware, software, physical security, and staff training and activity.

Also called pen testing, this kind of audit can be applied to any aspect of a system or network that’s designed to be secure. Pen testing can look for exploitable vulnerabilities in hardware (like servers, routers, laptops, and mobile devices), networks, use of cloud computing and storage, software and Web app configurations (including Internet of Things interfaces), data interaction through APIs, and individuals’ credentials. Security awareness of employees can also be evaluated by testing both physical and virtual activities—things like how a phishing attempt is handled or if it’s possible to get past security and enter the physical building or a secure room.

Why is penetration testing important?

The goal of penetration testing is to find a system’s weaknesses to outside attacks, internal attempts to get beyond allowed access levels, or simple employee errors. “Real” attacks can lead to data breaches, ransomware, or general disruption of an organization’s business, so pen tests are meant to give an organization a better picture of unmitigated vulnerabilities, along with an idea of how to prioritize fixes. Without pen testing, an organization runs the risk of discovering a vulnerability only after it’s been exploited by an attacker.

While some pen testing is voluntary, an organization may be subject to regulations that require proof that sensitive data is secured. GDPR and HIPAA both contain requirements that any system containing sensitive data must be regularly tested and evaluated for adequate security. Pen testing is accepted as an excellent way to meet these requirements. PCI DSS, a global standard that applies to any organization that handles credit card data, specifically requires regular pen testing.

Tools used in penetration testing

Penetration testing is most effective when it’s thorough and comprehensive, which can be especially challenging when dealing with complex or large systems. To aid in the large scope of some pen testing situations, software packages are available to help with completing well-documented or repetitive tests. Software packages are often combined with a library of known exploits used in the past by attackers, and methods to test them. Notably, these packages are used by both testers to test a system and hackers to attack a system.

Some pen testing can be done by non-specialists, using a portion of these same software packages. More complex pen testing is usually done by independent third-party experts, who may use these tools as aids, but don’t generally rely on them exclusively. Independent pen testers are often a better choice over internal staff, since they aren’t influenced by inside knowledge or a false sense of confidence in the system.

Types of penetration testing

A pen test can be one of several scenarios, each distinguished by how much information the pen tester has initially about the system being tested:

• White-box testing (also called transparent or open testing): Pen testers are given information about the system being tested before starting the test. In a white box test, the pen tester can create a test plan that meets the testing goals, whether that’s full coverage or focused testing on a particular aspect of the system. Having advanced knowledge of the system can jumpstart the task, cutting some time out of the project that might otherwise be spent on investigating an unknown system.
• Black-box testing (also called opaque or closed testing): Pen testers receive no information about the system in advance. Black box testing more closely simulates a real attack and can provide better insight into how a hacker might approach the system.
• Gray-box testing (also called semi-transparent testing): Pen tester is provided with a limited amount of information about the system. For example, the tester may be provided with basic login credentials to get access through the system’s first layer of protection. This allows them to concentrate their efforts on testing the system’s deeper, perhaps more sensitive, layers.

The starting point knowledge base isn’t the only variable in a pen test scenario. Another variable is whether the internal security team is given notice that a pen testing event is occurring. Internal security may not be told in advance, resulting in real life testing of the security team’s responses to a security threat. In some situations, the pen tester and internal security may work together in a simulation, called Red Team vs. Blue Team. This allows for real time reactions and creates learning opportunities for the internal security team.

Stages of penetration testing

Comprehensive penetration testing can be quite involved, and require a certain level of organization in order to be effective. Typical steps of a pen test might look like this:

• Planning: The starting point where a pen tester gets an idea of what the system looks like and decides what to test. A white box test will provide a lot of this material, whereas a black box test will require independent reconnaissance on the part of the tester.
• Scanning: In this stage, the pen tester will observe the system, learn how it works, and identify possible vulnerabilities that can provide ways to break in.
• Gain access: Next, the pen tester will use what they’ve learned in the scanning step to stage attacks on the identified potential vulnerabilities and try to gain access to the system.
• Maintain access: If the tester succeeds in gaining access, the next goal is to see how long they can maintain access. In a real attack, a hacker will want to gain a foothold in the system so they can do more damage, work their way deeper into more secure areas, or steal data over an extended period. The pen tester will attempt these same tasks to better understand what a hacker might be able to accomplish.
• Analysis and report: The pen tester will prepare a report for the organization detailing exposed vulnerabilities and possible remediation. The tester will also need to clean up any code they might have inserted or logins created as part of their infiltration activities.

When is penetration testing done?

Systems are always evolving—new vulnerabilities can be introduced with new hardware, software updates, adding new users or altering the permissions of existing users, and more. New threats also surface when new vulnerabilities are discovered in existing code, or hackers develop new tools to attack systems. The value of pen testing is that it can identify vulnerabilities, and create a path to remediation, before a hacker finds them and causes much bigger problems.

In response to this always changing threat environment, pen testing should be done regularly, with the frequency based on an organization’s needs and budget. Some regulations require pen testing as often as quarterly. Pen testing is also helpful on an ad hoc basis whenever there’s a significant change in the cyber environment—internal or external. A small-scale pen test can be executed to focus on a particular new threat.

Does penetration testing protect me?

While penetration testing is conducted at an organizational level, it does protect the individual as well. Websites, apps, and databases of companies that do frequent pen testing are typically better protected against threats from hackers. This means your data and your online activity are also better protected. By choosing to use and support companies that run frequent pen tests (or are required to meet certain testing standards), and coupling that with other personal privacy steps like a VPN and a privacy browser like Brave, you can help to improve your safety online.