“If you know your enemy and know yourself, you need not fear the outcome of a hundred battles.” It’s safe to say that Sun Tzu wasn’t thinking about cybersecurity over two thousand years ago, but he offers excellent advice for anyone looking to protect their online platform.
Penetration testing helps you know your enemy – i.e. hackers – by simulating their actions in a real attack scenario. More importantly, penetration testing helps you know yourself: by identifying vulnerabilities that could be exploited, you can ensure higher levels of protection in the future.
Penetration test definitions
Penetration testing, or pen testing for short, can take a variety of forms. Fundamentally, pen testing is a form of ethical hacking that simulates attacks on computer systems to assess their strengths and weaknesses.
Pen tests are run against networks, servers, applications and databases. The goal is to establish whether current defences are up to the task, or whether enhanced security is required.
A distinction is often made between white box and black box penetration tests. In a white box test, the testers already have extensive knowledge of the target system, whereas in a black box test, only minimal information is provided.
While a black box test can realistically mimic the behaviour of hackers with limited background information, a white box test simulates an attack from someone familiar with the organisation.
Pen testing can even be modelled on an internal attack – maybe from a disgruntled employee – by assessing how much damage can be done by an existing user with standard privileges.
How penetration testing works
The first stage of a penetration test is reconnaissance. The testers examine the target system, methodically scanning the network for possible weaknesses. Any opportunity for unauthorised access to system features or data is recorded in preparation for the simulated attack.
Then the real test begins. Each vulnerability is tested in turn, and potential exploits are pushed to their limits using hacking techniques like cross-site scripting (XSS), SQL injection and brute-forcing, plus a wide variety of additional attack methods.
Testers attack the most at-risk system components, including network coupling elements such as routers, switches and gateways, as well as web, database and file servers, telecoms systems, web applications, and wireless networks. This evaluates the effectiveness of security features like firewalls, anti-virus and anti-malware software, and intrusion detection/prevention systems.
Once the simulated attack is complete, the testers compile their findings. Vulnerabilities are listed and prioritised by their severity, with a detailed breakdown of how they could be exploited, and what needs to happen to fix them.
Penetration testing tools
To be as realistic as possible, a pen test needs to use the same tools a malicious hacker would. These include port scanners, sniffers (software that analyses network traffic), packet generators and password crackers.
More specialised penetration testing tools also exist, often being bundled into custom OS distributions such as BackBox (based on Ubuntu) and Kali Linux (based on Debian).
While automated vulnerability scanners serve a useful purpose, and can be good preparation for a pen test, they’re no substitute for a manual assessment by human experts. If automated scanning is the theory test, then penetration testing is the practical exam.
Penetration testing: a vital element of cybersecurity
Comprehensive security is not possible without penetration testing. From DDoS attacks to phishing and ransomware, the huge range of potential threats makes robust security testing more important than ever.
The results of penetration testing can uncover the potential impact of an attack on the wider organisation – such as network downtime, compromised data, reputational damage and lost revenue.
In this context, pen testing forms an essential part of a risk assessment or full cybersecurity audit. Certain industries that process large volumes of sensitive data, such as financial services, demand regular penetration tests as a legal requirement.
But pen testing isn’t just relevant to big companies. Smaller businesses need to deploy their limited IT resources wisely, and pen testing can highlight those critical gaps in security. Any organisation with a significant online presence should consider potential attacks in terms of when, not if – and plan defences accordingly.