Penetration testing, pen testing or ethical hacking, is the practice of testing a computer system, network or web application's cybersecurity by looking for exploitable security vulnerabilities. Penetration testing can be automated with penetration testing tools or manually by penetration testers.
In essence, penetration testing seeks to answer:
- How would an attack overcome my security program
- How would they gain access to my and my customer's sensitive data
It views your network, application, device and physical security through the eyes of a malicious actor and an experienced security team to uncover weaknesses and identify how your security posture could be improved.
Pen testers launch authorized cyber attacks designed to gain access to sensitive information, simulating what a real world attack would target, how your security controls would fare and the magnitude of a potential data breach.
What is involved in a penetration test?
Pen testers then review available information and use various methods to try and meet their goal. For example they may employ SQL injections, phishing and other social engineering attacks, cross-site scripting or exploit vulnerabilities.
Once the penetration test is completed, the security experts provide a security assessment to the owners of the target. The assessment generally outlines the potential impact and countermeasures designed to reduce cybersecurity risk.
What are common areas for penetration testing?
Common areas for penetration testing include:
- Application penetration testing: Identifies issues issues such as cross-site request forgery, cross-site scripting, injection flaws, weak session management and more
- Network penetration testing: Highlights network level flaws including misconfigurations, product-specific vulnerabilities, wireless network vulnerabilities, rogue services, weak passwords, vulnerable protocols and default passwords
- Physical penetration testing: Reveals how physical controls, such as locks, biometric scans, sensors and cameras could be overcome
- IoT penetration testing: Uncovers hardware and software vulnerabilities in Internet of Things devices, including default passwords, insecure protocols, open APIs, misconfigurations and more
What is the goal of a penetration test?
The goal of a penetration test will depend on the type of approved activity and your compliance requirements. Penetration testing can help organizations:
- Determine the feasibility of particular attack vectors
- Identify high-risk vulnerabilities resulting from lower-risk vulnerabilities exploited in a particular fashion
- Highlight vulnerabilities that go undetected in automated network or application vulnerability scanning software
- Assess the potential business, operational and regulatory impact of successful cyber attacks
- Test network defense and your organization's ability to successfully detect, respond and stop an attack
- Provide context to support increased investment in information security policies, procedures, personnel or technology
- Meet compliance requirements, e.g. all FISMA-regulated entities are required to comply with NIST SP 800-115, Technical Guide to Information Security Testing and Assessment. The Payment Card Industry Data Security Standard (PCI DSS) also requires regular penetration testing.
- Validate the implementation of new security controls put in place to thwart similar attacks
In the end, the standard goal is to find security issues that could be exploited by an attacker and then sharing this information, alongside relevant mitigation strategies with the target.
What are the six stages of penetration testing?
Penetration testing can be broken down into six stages:
- Reconnaissance: Gathering information on the target to be used to better attack the target. For example, using google hacking to find data that can be used in a social engineering attack.
- Scanning: Using technical tools to gain further knowledge of the target's externally facing assets, e.g. using Nmap to scan for open ports.
- Gaining access: Using the data gathered in the reconnaissance and scanning phases, the pen tester can deliver a payload to exploit the target. For example, Metasploit can be used to automate attacks on known vulnerabilities like those listed on CVE.
- Maintaining access: After gaining access, the pen tester may take steps to gain persistent access to the target in order to extract as much data as possible.
- Covering tracks: The final step is to clear any trace of their access by deleting audit trails, log events, etc.
- Reporting: Outlines the findings, providing a vulnerability assessment with suggested remediation steps.
Note that this process can be repeated as the pen tester finds new security issues.
Who provides penetration testing services?
Penetration testing services are generally provided by an outside consultant or internal red team with little-to-no prior knowledge of how the target is secured.
This allows them to expose possible blind posts that are missed by the internal security team.
What are the types of penetration tests?
- White box pen test: Ethical hackers are provided with background and system information, such as employee emails, operating systems, security policies or source code. This type of security testing could be said to mimic insider threats.
- Black box pen test: Security professionals are provided basic or no information beyond the target's name. This means the pen testers only have access to information they can gather through vulnerability scanning, OPSEC failures, social engineering and external security posture analysis. This mimics outside attackers attempting to gain access to your organization.
- Grey box pen test: A combination of a white box and black box test, where limited knowledge of the target is shared with the pen tester. This type of security testing can help determine which systems are vulnerable to attackers who are able to gain initial access to your internal network.
- Covert/double-blind pen test: Describes a situation where very few people know a pen test is happening, including the IT and security teams who will be responding to the attack.
- External pen test: This is when an ethical hacker targets a company's external-facing technology, such as their website and external network servers. These types of pen tests are generally conducted from a remote location.
- Internal pen test: This test is performed from within the company's internal network and is useful to determine how much damage could be done by an insider from within the company's firewall.
- Targeted pen test: Penetration tester and security team work together, informing each other of steps taken to attack the target and to defend the attack. This serves as a training exercise that provides real-time feedback.
Why is penetration testing important?
Penetration testing is important because it helps determine how well your organization is meeting its security objectives.
The purpose of these simulated attacks are to identify weakness in your security controls which attackers could take advantage of.
Penetration testing, and cybersecurity more generally, is becoming more important as we become more reliant on technology to process sensitive information.
As part of a cybersecurity program, penetration testing help you improve the quality of your security controls. It can also help reduce the cost and frequency of downtime, improve mean-time-to-repair (MTTR), protect brand reputation, maintain customer trust, avoid litigation and ensure regulatory compliance.
Why penetration testing is not enough
Security professionals disagree about the importance of penetration testing. Some believe it is the most important thing, others believe it's a waste of time.
As with most security practices, the truth is somewhere in between and its efficacy depends on application and scope.
Pen testing alone is never enough to prevent data breaches but the information gained from it can play a critical role in bolstering your organization's security controls.
While there are numerous frameworks that outline a pen testing process, it remains a broad term that encompasses a slew of different activities designed to identify weaknesses in your cybersecurity.
This could entail the use of specialized security tools such as Kali Linux or Backbox and Metasploit or Nmap to discover and exploit vulnerabilities, carrying out social engineering attacks to test physical controls or employing ethical hackers to simulate cyber attacks.
In the end the goal is the same: to improve your security posture and reduce cybersecurity risk.
Even the most thoroughly tested applications and infrastructure can fall victim to data breaches or data leaks. That is the disheartening truth of cybersecurity – sometimes attackers are one step ahead of your security team.
Furthermore, even the best pen testers can only work with the knowledge and tools at their disposal.
In the case of zero-day exploits, like EternalBlue that led to the WannaCry ransomware worm, the best you can do is respond quickly. Pair this with the fact that third-party vendors are handling more and more sensitive information, and it's not hard to understand that while pen testing is important, it can't be the only thing you do.
To have a lasting impact on the organization, pen testing must be integrated with real-time continuous security monitoring of first, third and fourth-parties.
What are the common penetration testing frameworks?
There are several frameworks and methodologies for conducting penetration tests including:
- Open Source Security Testing Methodology Manual (OSSTMM)
- Penetration Testing Execution Standard (PTES)
- NIST SP 800-115
- Information System Security Assessment Framework (ISSAF)
- OWASP Testing Guide
How UpGuard can improve your organization's cybersecurity
Companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar and NASA use UpGuard to protect their data, prevent data breaches, monitor for vulnerabilities and avoid malware.
UpGuard Vendor Risk can minimize the amount of time your organization spends managing third-party relationships by automating vendor questionnaires and providing vendor questionnaire templates that map to the NIST Cybersecurity Framework and other best practices. We can help you continuously monitoring your vendors' security posture over time while benchmarking them against their industry.
Each day, our platform scores your vendors with a Cyber Security Rating out of 950. We'll alert you if their score drops.
UpGuard BreachSight can help monitor for DMARC, combat typosquatting, prevent data breaches and data leaks, avoiding regulatory fines and protecting your customer's trust through cyber security ratings and continuous exposure detection.
If you'd like to see how your organization stacks up, get your free Cyber Security Rating.