Penetration testing, also called pen testing, is the practice of testing a computer system, network or web application to find security vulnerabilities that an attacker could exploit.
Penetration testing can be automated with software applications or performed manually. Either way, the process involves gathering information about the target before the test, identifying possible entry points, attempting to break in (either virtually or physically) and reporting back the findings.
The main objective of penetration testing is to identify security weaknesses. Penetration testing can also be used to test an organization’s security policy, its adherence to compliance requirements, its employees’ security awareness and the organization’s ability to identify and respond to security incidents.
Typically, the information about security weaknesses that are identified or exploited through pen testing is gathered and provided to the organization’s IT and network system managers, enabling them to make strategic decisions and prioritize remediation efforts.
Penetration tests are also sometimes called “white hat attacks” because in a pen test, the good guys are attempting to break in.
What’s the Purpose of Penetration Testing?
The primary goal of a pen test is to identify weak spots in an organization’s security posture, as well as measure the compliance of its security policy, test the staff’s awareness of security issues and determine whether (and how) the organization would be subject to security disasters.
A penetration test can also highlight weaknesses in a company’s security policies. For example, although a security policy focuses on preventing and detecting an attack on a company’s systems, that policy may not include a process to expel a hacker.
The reports generated by a penetration test provide the feedback needed for an organization to prioritize the investments it plans to make in its security.
What Areas Does Penetration Testing Cover?
Application Penetration Testing
Identifies application layer flaws such as cross site request forgery, cross site scripting, injection flaws, weak session management, insecure direct object references and more.
IoT/Device Penetration Testing
Aims to uncover hardware and software level flaws with Internet of Things devices including weak passwords, insecure protocols and more.
Network Penetration Testing
Focuses on identifying network and system level flaws including misconfigurations, product-specific vulnerabilities, wireless network vulnerabilities, rogue services, weak passwords and protocols.
Physical Penetration Testing
Also known as physical intrusion testing — this testing reveals opportunities to compromise physical barriers such as locks, sensors, cameras, man-traps and more.
All of these risk-based approaches involve several steps. These steps include:
Information Gathering: The stage of reconnaissance against the target.
Threat Modeling: Identifying and categorizing assets, threats, and threats communities.
Vulnerability Analysis: Discovering flaws in systems and applications using a set of tools, both commercially available tools and internally developed.
Exploitation: Simulating a real-world attack to document any vulnerabilities.
Post-Exploitation: Determining the value of compromise, considering data or network sensitivity.
Reporting: Outlining the findings with suggestions for prioritizing fixes. For us, that means walking through the results with you hand-in-hand.
How Often Should You Perform Penetration Testing?
Organizations should perform pen testing regularly — ideally, once a year — to ensure more consistent network security and IT management. In addition to conducting regulatory-mandated analysis and assessments, penetration tests may also be run whenever an organization:
- Adds new network infrastructure or applications.
- Makes significant upgrades or modifications to its applications or infrastructure.
- Establishes offices in new locations.
- Applies security patches.
- Modifies end-user policies.
Penetration testing is not one-size-fits-all — when a company should engage in pen testing also depends on several other factors, including:
Penetration testing is all about assessing your overall security before attackers do.
A penetration test digs deeper and samples your environment in a way that a vulnerability scan simply does not. Contact Verity IT to schedule your pen test today!