Back
Penetration testing is an important exercise for many organisations. In fact, some organisations are required to perform regular penetration tests in order to comply with security regulations such as PCI DSS.
In this article, we will explain what penetration testing is and how it works. We will also explain why many organisations do it, and why some choose not to.
What is penetration testing?
Penetration testing is the deliberate, “white-hat,” hacking of IT systems in order to identify vulnerabilities and assess the effectiveness of an organisation’s security controls. By simulating real-world scenarios, such as DDoS attacks, phishing scams, and social engineering, penetration testing allows security experts to pinpoint areas that require greater security, with the ultimate goal of safeguarding against genuine breaches in the future.
It is possible to use online vulnerability tools to assess your systems security. These will generate automatic reports and are often referred to as ‘automatic’ testing, whereas penetration testing performed by a person is often referred to as ‘manual’ testing.
There are a variety of ways in which penetration testers can evaluate an IT system’s security, and we will cover these shortly. It is important to note that penetration testers use similar approaches to attackers, as they seek to identify system weaknesses. This enables them to evaluate the business risks and identify appropriate solutions, to help mitigate the threat of a system breach.
What are the objectives of penetration testing?
The overarching goal of penetration testing is simple: to protect IT systems, safeguard data, and prevent all potential security breaches. To meet this primary goal, penetration testing has the following more specific objectives:
Identify security weak points
It is through thorough penetration testing that organisations can discover the vulnerabilities in their current operational systems—from their software configurations to their third-party relationships to their network infrastructure. By pinpointing these weaknesses, they’re able to develop specific, tailored solutions rather than relying on generic, one-size-fits-all security measures.
Evaluate existing security controls
Part of penetration testing is determining whether an organisation's existing security measures stand up to the latest, most advanced hacking techniques. It’s a useful way of showing whether security measures are working as they should be, or whether they need to be improved or updated to protect against new and evolving threats.
Test incident response and enhance preparedness
Although the hope is to always prevent security breaches before they happen, it’s also important for organisations to have a plan in place in the event a breach does occur. Penetration testing allows organisations to practice their emergency response protocols so that they can be prepared for any future incidents.
Ensure compliance with industry regulations
A secondary objective of penetration testing is to ensure an organisation is in compliance with industry regulations, such as the Payment Card Industry Data Security Standard (PCI DSS), the General Data Protection Regulation (GDPR), and the Health Insurance Portability and Accountability Act (HIPPA). Penetration testing will help determine whether an organisation meets industry standards—plus, the testing itself can be a regulatory requirement (as is the case with PCI DSS).
What type of threats does penetration testing help prevent?
External threats
In these cases, hackers are usually seeking sensitive data (e.g. credit card details, personal identification information) that they can use for their own financial gain (e.g. credit card data theft, identify theft, etc.).
Good to know: The most common cybersecurity threat organisations face is unauthorised access and data theft from bad actors outside of the organisation.
External threats include:
Social engineering
Social engineering is any manipulation that exploits human psychology in order to gain access to sensitive information or systems. Examples include:
- Pretexting - Fabricating a story to gain someone’s trust and trick them into providing data or unauthorised access (e.g. pretending to be the CEO or a member of the IT security team).
- Baiting - Using a false promise to convince someone to provide access, click a malicious link, or send money (e.g. enticing someone with a free music download or leaving a malware-infected USB drive in the employee parking lot).
- Quid-pro-quo attacks - Asking for sensitive data in return for a service (e.g. asking for login credentials in order to perform tech support).
Phishing scams
A subset of social engineering, phishing is the attempt to trick someone into revealing sensitive information through fake emails or websites, usually by impersonating a business they trust (e.g. bank, software company, etc.).
DDoS attacks
Distributed Denial of Service (DDoS) attacks are designed to overwhelm systems with traffic, leading systems to go down and services to be disrupted.
Malware attacks
Malware, such as viruses, trojans, and ransomware, can be used to disrupt IT systems or gain unauthorised access to sensitive data. It can be introduced through downloadable email attachments, compromised software programs, infected websites, or unapproved USB sticks or external hard drives.
Brute force hacking
Brute force attacks are a method of hacking passwords or other sensitive login credentials (e.g. encryption keys) through a mass-scale trial-and-error approach. Hackers use automated tools to test thousands of different credentials until they find the right one and can gain unauthorised access.
Zero-day (0day) exploits
Zero-day exploits are when hackers take advantage of vulnerabilities in software programs before developers have time to fix them. By attacking on the same day the weakness is discovered (day zero), hackers are able to access systems before the software can be patched and updated.
Internal threats
Another cybersecurity concern is when the threat is coming from within the organisation itself. Although it can be unsettling to consider that employees and third-party partners may have malicious intentions, the reality is that addressing internal threats is crucial to IT security, and this type of threat must be considered when conducting penetration testing. Also, internal security threats aren’t always intentional; they can stem from inadvertent actions and negligence.
Common internal threats include:
- Malicious data theft or system manipulation by an employee (e.g. embezzlement)
- Accidental misconfiguration of software, applications, or systems in a way that exposes sensitive data
- Negligent handling of access credentials, leading to unauthorised access
- Unintentional malware attacks by using unverified external devices
- Lack of staff awareness and training on cybersecurity practices
Advanced Persistent Threats (APTs)
Probably the most dangerous cybersecurity threat is the potential for routine and long-term infiltration by sophisticated hackers who steal data while remaining undetected for large stretches of time. These types of digital espionage are known as Advanced Persistent Threats (APTs), and they’re often conducted by a nation-state or state-sponsored group with the goal of mining data, disrupting systems, or simply accessing sensitive information for political purposes.
What are the benefits of penetration testing?
Cybersecurity risks are becoming more common and more severe. Long-term impacts can include damage to the organisation’s brand reputation, a loss of customer trust, loss of competitive advantage, reduction in credit rating, and increase in cyber insurance premiums.
How does penetration testing work?
Planning and scope
Before initiating a penetration test, the team or company performing the test should outline the scope of the test, list the test objectives, and identify which systems and networks will be assessed (and to what extent). It’s important for the testing team communicate clearly and openly with stakeholders within the industry (e.g. IT teams, operations, human resources, etc.) in order to thoroughly identify all potentially vulnerable areas of the business.
Common systems that require penetration testing include:
- Web applications
- Network infrastructure
- Mobile applications
- Databases
- Cloud services and platforms
- Wireless networks
- Endpoints (computers, laptops, servers)
- Internet of Things (IoT) devices
- Virtual Private Networks (VPNs)
- Email systems
Although the individual or team conducting the penetration testing should be familiar with all areas of the business, they should not disclose to internal teams when and how the testing will take place. Penetration testing works best when it mimics real-world scenarios and therefore no advanced notice should be given.
Accessing, scanning, and observation
After the initial planning phase, the individual or team performing the assessment will enter the active testing phase. This involves gaining access to the organisation’s systems through the use of common scams and hacking techniques. They will scan systems searching for weaknesses that can be exploited to gain access to sensitive data.
Common techniques involved in penetration testing include:
- Vulnerability scanning: Searching for weaknesses in the network or system.
- Network mapping: Scanning the network architecture to locate potential points of entry.
- Port scanning: Locating any open ports that may be vulnerable to hacking.
- Social engineering: Using manipulative tactics to trick employees into revealing sensitive information.
- Phishing attacks: Sending employees fraudulent emails or messages designed to trick them into providing data and/or access.
- Password cracking: Attempting to gain unauthorised access by exploiting weak passwords.
- Exploitation of software vulnerabilities: Using known weaknesses in software applications to gain unauthorised access.
- DDoS simulation: Simulating a distributed denial-of-service attack to test a system’s resilience.
- Wireless network testing: Assessing the security of Wi-Fi networks.
- Endpoint security testing: Looking at individual computers and devices within the organisation to analyse and strengthen security.
Reporting, analysis, and fixes
The final step of the penetration testing process is to compile the results, analyse the findings, and take steps to resolve any issues that are uncovered. Penetration testing experts typically provide comprehensive reports detailing identified vulnerabilities, the threat levels, and their list of recommended solutions.
Following penetration testing, organisations are often advised to do the following:
- Enhance employee awareness of IT security, particularly social engineering scams, through more comprehensive and routine training programs.
- Run updates and add security patches to address any vulnerabilities found in software programs, applications, databases, and other IT systems.
- Develop an incident response plan, or a more thorough incident response plan, to follow in the event of a security breach.
- Set up ongoing monitoring and testing in order to adapt as needed to new security threats.
What are the pros and cons of penetration testing?
There are several advantages to penetration testing:
- Live training - Targeted testing and blind testing can provide the cyber security team with invaluable ‘in-the-moment’ insight into a live attack.
- Identify system vulnerabilities – Cyber-attacks are extremely common. Penetration testers are putting themselves in the hacker’s position. They are actively encouraged to find vulnerabilities and weaknesses in your IT, and in doing so, they can help you make your IT environment more secure.
- Gain insight into your digital systems – There is a limit to what automatically generated reports from online vulnerability tests can provide. Professional penetration testers can provide you with customer-created insight into your system’s vulnerabilities, and they can help identify what you can do about them. They can help you document and rank the risks, making actionable plans that are aligned with your organisation’s values and goals.
- Establish trust with your customers – By being aware of your system’s vulnerabilities and executing a plan to address them, you proactively protect your organisation and customers. You will be able to create security policies to help inform and reassure your employees and customers and, in doing so, build trust.
- Achieve security certification - Regulations such as PCI DSS and HIPAA require members to perform regular penetration testing. And that is also the case for industry certifications such as ISO 27001.
- Increase awareness amongst employees – Hackers deploy phishing attacks, baiting employees just as a fisherman uses bait to catch a fish. Penetration testing can highlight popular baiting tactics and help them understand how to keep the organisation’s systems as secure as possible.
Disadvantages to penetration testing include the following:
- It can be labour intensive and expensive – Organisations systems are often complex. They can cover various things, from web and mobile apps to networks, containers, embedded and mobile devices, and APIs. Performing manual penetration testing on every aspect of your IT requires a comprehensive approach. It is expensive. And it can also suck up important IT resources.
- Mistakes can be costly – Penetration testing is the deliberate and planned act of breaking into your IT systems. Once the penetration tester is in, they will try to assess the damage that they can cause. It is at this point where penetration testers need to be very careful. Unintended consequences such as your servers crashing, corrupting or losing data could be expensive and potentially embarrassing if it became public knowledge.
- Testing can be seen as unethical – There are certain hacking tactics, such as phishing, that a penetration tester will probably want to use. Some argue that this is unethical since the penetration testers can only phish by attempting to deliberately fool the organisation’s employees. Many phishing victims talk about the shame that they experience for being fooled by a hacker, however this feeling can be intensified for victims conned by a hacker who their employer has hired.
Stay in English