Penetration testing, also referred to as pen testing or PT, is a form of ethical hacking that simulates a potential cyberattack on a system, application or device. When used properly, it can help you identify security vulnerabilities before they become a problem giving you an opportunity to remediate any findings, which will ultimately reinforce the strength of your security posture.
But how exactly does penetration testing work, and how can you use it for your business?
How Penetration Testing Attacks Work
Penetration testing is designed to mimic real cyberattacks, so it makes use of techniques typically used by malicious agents. Depending on the nature of the system and what the penetration tester learns during reconnaissance, ethical hackers can use things like brute force attacks or SQL injections to gain access to systems. Testers may also utilize specific pieces of hardware designed for penetration testing; for example, they may try to plug a box into your network to see if they can gain remote access to the network.
Some penetration testers also make use of social engineering. They may attempt to fool your employees, tricking them into giving up their login credentials or other valuable information as a shortcut to gain access to your systems. Or, they could also send phishing emails to your company as a means to determine your level of protection against such threats.
Generally, a penetration tester attempts to complete the test by covering tracks, eliminating any trace of evidence that was ever there, and leaving every system exactly how it was. At this point, the tester explains what efforts revealed, sparking a discussion with decision makers within the organization.
The Stages of Penetration Testing
Most forms of penetration testing unfold over five distinct stages:
1. Planning and goal setting: First, you’ll set goals and enter the planning stage. Depending on the model you’re using, a tester may study your defenses or do research to learn more about your company.
2. Proactive scanning: Next, the tester looks for potential vulnerabilities and plans an attack.
3. Attack staging: When the tester feels confident that there is an opening, the attack or tactic will begin in order to gain entry.
4. Access sustenance: The tester will then see if access can be maintained for a predefined period of time.
5. Analysis and reconfiguration: At the conclusion of the test, the tester will cover tracks, restore systems back to normal and will prepare a report with recommendations for remediation.
Models of Penetration Testing
There are several different models of penetration testing worth considering, including:
Internal testing. In an internal penetration test, testers have access to an application behind the firewall; in other words, they’ll be simulating an attack from a malicious insider, like a disgruntled employee, or someone who has stolen an employee’s login credentials.
External testing. By contrast, an external test attempts to execute an attack using publicly visible company assets; for example, a tester may try to access the company’s website or domain name servers (DNS).
Blind testing. Some penetration testers utilize blind (or single-blind) testing, where the tester is only given the name of the organization to be attacked with no further details about the security measures that might be in place. The goal here is to simulate a more realistic attack.
Double-blind testing. In a double-blind test, the organization’s security staff will be given no advance notice that a simulated attack is coming. Accordingly, they won’t have time or foreknowledge to beef up their defenses enabling a true evaluation of exactly how the security staff responds to an emerging threat.
Targeted testing. In targeted (or open) testing, the tester and the target organization’s security staff will both remain completely informed and transparent during the test. They’ll know about each other’s movements, including both defensive measures and potential attacks. While this is less realistic than a single-blind or double-blind test, it also comes with some great perks; you’ll get to see the stages of an attack as they unfold in real-time, and you’ll get more collaboration between testers and defenders.
Pros and Cons of Penetration Testing
Penetration testing offers many advantages, including:
Finding a range of vulnerabilities. First, pen tests have the ability to discover a wide range of vulnerabilities, from ineffective web application firewalls (WAF) to poorly trained employees. Discovering these potential weaknesses proactively gives you time to correct them before they end up causing real damage to your organization.
Identifying emergent weaknesses. Penetration testing may also reveal emergent weaknesses; high-level vulnerabilities that exist because of a combination of smaller, more innocuous weaknesses. These can be hard to catch otherwise.
Showcasing human creativity. A skilled pen tester will stop at nothing to try and find a way in. There are forms of automated testing that can help you identify vulnerabilities, but only an experienced, creative human being can discover certain points of entry.
Highlighting specific pieces of advice. Most penetration testing sessions end with a thorough report, detailing the potential weaknesses in your organization as well as recommendations about how to fix them. No matter what, you’ll walk away with a clearer understanding of your organization’s security posture.
However, there are also a few downsides to consider:
Trust and potential damage. When you pursue penetration testing, you’ll literally be hiring someone to hack into your organization. This is a potential security threat, and requires your complete trust in the person and organization executing the test. There is great potential for damage if you don’t vet your candidates carefully.
Time and effort. Penetration testing is more involved than other types of security testing, and often requires more time and effort. It also tends to be costly.
A false sense of security. If you elect to perform a penetration test and your tester finds no point of entry, this does not guarantee that your security system is perfect, nor that it will remain perfect in the future. Good results on a pen test can give you a false sense of security, because its results are only valid for a specific point in time.
Pen Testing and Third-Party Vendors
You could have a fantastic cybersecurity strategy in place for your own operation, but how confident are you about the cybersecurity of your third-party vendors? How vulnerable are your vendors’ systems and applications? Since your suppliers may be accessing, storing or processing your data, it is imperative to continuously assess their security posture, especially if you need to be compliant with a regulation, standard or law. Even if your vendor is performing pen tests on a regular basis, how is their security posture being monitored in the interim?
That’s why it’s critical to use automated third-party security management software to vet your suppliers, so you can assess the security risk they pose to your company. Assessing a supplier’s security posture must also include measuring the risk that their employees pose as well as ongoing monitoring.
Panorays is the only security rating platform that includes an assessment of the human factor. With Panorays, you can be confident about your suppliers’ security; sign up for a free demo today, and see it in action!