No Bad Questions About Cybersecurity
Definition of Penetration testing
What is penetration testing?
Penetration testing, or pentesting, is sanctioned ethical hacking that assesses a company's security measures to optimize responses to internal and external attacks.
Penetration testing falls under quality assurance to provide the highest level of system security. It is not automated, however, unlike vulnerability assessments, making them separate processes, although their purposes overlap.
What are the different types of pen testing?
There are two basic types of pen tests, external attacks that test a company's resilience to outside threat actors and internal attacks that allow the company to react to breaches by employees. The threat actor(s) may or may not have access to certain information about a company’s security. Pen tests may even be conducted in secret from a company’s employees.
The first step is to decide whether the goal of the test is to assess weaknesses that can be exploited from the outside or the inside:
- External test. This pen test is used to determine if anyone can breach the security and gain access to sensitive information from outside a company.
- Internal test. This test is suitable for identifying possible weaknesses in security that someone from within the company could exploit.
The second involves selecting one of three approaches:
- Open-box test. The pentester is provided information about a company’s security. This approach is helpful when assessing a specific area.
- Closed-box test. The pentester isn't given information about the company's security infrastructure. Their attempts provide results that can be used to identify any blind spots and increase security as needed.
- Covert test. To simulate a real-world scenario, the pentester doesn't have any information about a company’s security infrastructure, and the company's employees, even the security personnel, aren't aware of the test.
How is a typical pen test carried out?
A pen test is carried out by one or more pentesters using information provided by a company or gained from research and/or cyberattacks on the company's employees. The pentester(s) then attempt to circumvent the company's security infrastructure and gain access to sensitive information. Their findings are used to optimize security measures.
Outside contractors objectively understand a security infrastructure's potential weaknesses since an internal team's insider knowledge may create blind spots in their security procedures. Pen tests are only conducted with the consent and knowledge of a company's leadership and require clear documentation outlining the test's scope and who is involved to avoid any misunderstandings with law enforcement and/or employees during and after the test.
The pentester(s) researches the company to gather useful information for breaching security. If they've been provided with details beforehand, they may combine that with publicly accessible data. The pentester(s) may also use phishing attacks on employees to gain access to their credentials and attempt to physically penetrate the company's location.
What are the benefits of pen testing?
Pen testing allows companies to assess their current security measures and infrastructure and make necessary adjustments. It also allows the company to optimize external and internal security to better prioritize its resources. Pen testing can strengthen trust among stakeholders and demonstrate a company's compliance with data privacy and security regulations.
Besides the obvious benefits of ensuring that data and products are safe, pen testing provides companies with evidence of a serious and responsible approach to cybersecurity and compliance with laws and regulations on data security.
Likewise, a company's tech debt may create holes in its security infrastructure that can be exploited. Pen tests provide a safe and controlled opportunity to fix these holes and make informed and rational decisions on what software and hardware to update.
Key Takeaways
- Penetration testing, or pen testing, tests a company's security infrastructure through ethical hacking.
- Pen testing is divided into external and internal tests to match a company's needs.
- In open-box testing, the company/client provides the hacker with information on its security. In a closed-box test, the hacker doesn't have any information, and in a covert test, the hacker lacks information, and the company's employees aren't aware of the test.
- For objective results during pentests, use outside contractors.
- Pentests help companies optimize security resources, manage tech debt, and demonstrate a commitment to data security.