Penetration testing is an important exercise for many organisations. In fact, some organisations are required to perform regular penetration tests in order to comply with security regulations such as PCI DSS.
In this article, we will explain what penetration testing is and how it works. We will also explain why many organisations do it, and why some choose not to.
What is penetration testing?
Penetration testing is the deliberate, “white-hat,” hacking of IT systems in order to identify vulnerabilities and assess the effectiveness of an organisation’s security controls. By simulating real-world scenarios, such as DDoS attacks, phishing scams, and social engineering, penetration testing allows security experts to pinpoint areas that require greater security, with the ultimate goal of safeguarding against genuine breaches in the future.
It is possible to use online vulnerability tools to assess your systems security. These will generate automatic reports and are often referred to as ‘automatic’ testing, whereas penetration testing performed by a person is often referred to as ‘manual’ testing.
There are a variety of ways in which penetration testers can evaluate an IT system’s security, and we will cover these shortly. It is important to note that penetration testers use similar approaches to attackers, as they seek to identify system weaknesses. This enables them to evaluate the business risks and identify appropriate solutions, to help mitigate the threat of a system breach.
What are the objectives of penetration testing?
The overarching goal of penetration testing is simple: to protect IT systems, safeguard data, and prevent all potential security breaches. To meet this primary goal, penetration testing has the following more specific objectives:
Identify security weak points
It is through thorough penetration testing that organisations can discover the vulnerabilities in their current operational systems—from their software configurations to their third-party relationships to their network infrastructure. By pinpointing these weaknesses, they’re able to develop specific, tailored solutions rather than relying on generic, one-size-fits-all security measures.
Evaluate existing security controls
Part of penetration testing is determining whether an organisation's existing security measures stand up to the latest, most advanced hacking techniques. It’s a useful way of showing whether security measures are working as they should be, or whether they need to be improved or updated to protect against new and evolving threats.
Test incident response and enhance preparedness
Although the hope is to always prevent security breaches before they happen, it’s also important for organisations to have a plan in place in the event a breach does occur. Penetration testing allows organisations to practice their emergency response protocols so that they can be prepared for any future incidents.
Ensure compliance with industry regulations
A secondary objective of penetration testing is to ensure an organisation is in compliance with industry regulations, such as the Payment Card Industry Data Security Standard (PCI DSS), the General Data Protection Regulation (GDPR), and the Health Insurance Portability and Accountability Act (HIPPA). Penetration testing will help determine whether an organisation meets industry standards—plus, the testing itself can be a regulatory requirement (as is the case with PCI DSS).
What type of threats does penetration testing help prevent?
External threats
In these cases, hackers are usually seeking sensitive data (e.g. credit card details, personal identification information) that they can use for their own financial gain (e.g. credit card data theft, identify theft, etc.).
Good to know: The most common cybersecurity threat organisations face is unauthorised access and data theft from bad actors outside of the organisation.
External threats include:
Social engineering
Social engineering is any manipulation that exploits human psychology in order to gain access to sensitive information or systems. Examples include:
- Pretexting - Fabricating a story to gain someone’s trust and trick them into providing data or unauthorised access (e.g. pretending to be the CEO or a member of the IT security team).
- Baiting - Using a false promise to convince someone to provide access, click a malicious link, or send money (e.g. enticing someone with a free music download or leaving a malware-infected USB drive in the employee parking lot).
- Quid-pro-quo attacks - Asking for sensitive data in return for a service (e.g. asking for login credentials in order to perform tech support).
Phishing scams
A subset of social engineering, phishing is the attempt to trick someone into revealing sensitive information through fake emails or websites, usually by impersonating a business they trust (e.g. bank, software company, etc.).
DDoS attacks
Distributed Denial of Service (DDoS) attacks are designed to overwhelm systems with traffic, leading systems to go down and services to be disrupted.
Malware attacks
Malware, such as viruses, trojans, and ransomware, can be used to disrupt IT systems or gain unauthorised access to sensitive data. It can be introduced through downloadable email attachments, compromised software programs, infected websites, or unapproved USB sticks or external hard drives.
Brute force hacking
Brute force attacks are a method of hacking passwords or other sensitive login credentials (e.g. encryption keys) through a mass-scale trial-and-error approach. Hackers use automated tools to test thousands of different credentials until they find the right one and can gain unauthorised access.
Zero-day (0day) exploits
Zero-day exploits are when hackers take advantage of vulnerabilities in software programs before developers have time to fix them. By attacking on the same day the weakness is discovered (day zero), hackers are able to access systems before the software can be patched and updated.
Internal threats
Another cybersecurity concern is when the threat is coming from within the organisation itself. Although it can be unsettling to consider that employees and third-party partners may have malicious intentions, the reality is that addressing internal threats is crucial to IT security, and this type of threat must be considered when conducting penetration testing. Also, internal security threats aren’t always intentional; they can stem from inadvertent actions and negligence.
Common internal threats include:
- Malicious data theft or system manipulation by an employee (e.g. embezzlement)
- Accidental misconfiguration of software, applications, or systems in a way that exposes sensitive data
- Negligent handling of access credentials, leading to unauthorised access
- Unintentional malware attacks by using unverified external devices
- Lack of staff awareness and training on cybersecurity practices
Advanced Persistent Threats (APTs)
Probably the most dangerous cybersecurity threat is the potential for routine and long-term infiltration by sophisticated hackers who steal data while remaining undetected for large stretches of time. These types of digital espionage are known as Advanced Persistent Threats (APTs), and they’re often conducted by a nation-state or state-sponsored group with the goal of mining data, disrupting systems, or simply accessing sensitive information for political purposes.
What are the benefits of penetration testing?
Cybersecurity risks are becoming more common and more severe. Long-term impacts can include damage to the organisation’s brand reputation, a loss of customer trust, loss of competitive advantage, reduction in credit rating, and increase in cyber insurance premiums.
How does penetration testing work?
Planning and scope
Before initiating a penetration test, the team or company performing the test should outline the scope of the test, list the test objectives, and identify which systems and networks will be assessed (and to what extent). It’s important for the testing team communicate clearly and openly with stakeholders within the industry (e.g. IT teams, operations, human resources, etc.) in order to thoroughly identify all potentially vulnerable areas of the business.
Common systems that require penetration testing include:
- Web applications
- Network infrastructure
- Mobile applications
- Databases
- Cloud services and platforms
- Wireless networks
- Endpoints (computers, laptops, servers)
- Internet of Things (IoT) devices
- Virtual Private Networks (VPNs)
- Email systems
Although the individual or team conducting the penetration testing should be familiar with all areas of the business, they should not disclose to internal teams when and how the testing will take place. Penetration testing works best when it mimics real-world scenarios and therefore no advanced notice should be given.
Accessing, scanning, and observation
After the initial planning phase, the individual or team performing the assessment will enter the active testing phase. This involves gaining access to the organisation’s systems through the use of common scams and hacking techniques. They will scan systems searching for weaknesses that can be exploited to gain access to sensitive data.
Common techniques involved in penetration testing include:
- Vulnerability scanning: Searching for weaknesses in the network or system.
- Network mapping: Scanning the network architecture to locate potential points of entry.
- Port scanning: Locating any open ports that may be vulnerable to hacking.
- Social engineering: Using manipulative tactics to trick employees into revealing sensitive information.
- Phishing attacks: Sending employees fraudulent emails or messages designed to trick them into providing data and/or access.
- Password cracking: Attempting to gain unauthorised access by exploiting weak passwords.
- Exploitation of software vulnerabilities: Using known weaknesses in software applications to gain unauthorised access.
- DDoS simulation: Simulating a distributed denial-of-service attack to test a system’s resilience.
- Wireless network testing: Assessing the security of Wi-Fi networks.
- Endpoint security testing: Looking at individual computers and devices within the organisation to analyse and strengthen security.
Reporting, analysis, and fixes
The final step of the penetration testing process is to compile the results, analyse the findings, and take steps to resolve any issues that are uncovered. Penetration testing experts typically provide comprehensive reports detailing identified vulnerabilities, the threat levels, and their list of recommended solutions.
Following penetration testing, organisations are often advised to do the following:
- Enhance employee awareness of IT security, particularly social engineering scams, through more comprehensive and routine training programs.
- Run updates and add security patches to address any vulnerabilities found in software programs, applications, databases, and other IT systems.
- Develop an incident response plan, or a more thorough incident response plan, to follow in the event of a security breach.
- Set up ongoing monitoring and testing in order to adapt as needed to new security threats.
What are the pros and cons of penetration testing?
There are several advantages to penetration testing:
- Live training - Targeted testing and blind testing can provide the cyber security team with invaluable ‘in-the-moment’ insight into a live attack.
- Identify system vulnerabilities – Cyber-attacks are extremely common. Penetration testers are putting themselves in the hacker’s position. They are actively encouraged to find vulnerabilities and weaknesses in your IT, and in doing so, they can help you make your IT environment more secure.
- Gain insight into your digital systems – There is a limit to what automatically generated reports from online vulnerability tests can provide. Professional penetration testers can provide you with customer-created insight into your system’s vulnerabilities, and they can help identify what you can do about them. They can help you document and rank the risks, making actionable plans that are aligned with your organisation’s values and goals.
- Establish trust with your customers – By being aware of your system’s vulnerabilities and executing a plan to address them, you proactively protect your organisation and customers. You will be able to create security policies to help inform and reassure your employees and customers and, in doing so, build trust.
- Achieve security certification - Regulations such as PCI DSS and HIPAA require members to perform regular penetration testing. And that is also the case for industry certifications such as ISO 27001.
- Increase awareness amongst employees – Hackers deploy phishing attacks, baiting employees just as a fisherman uses bait to catch a fish. Penetration testing can highlight popular baiting tactics and help them understand how to keep the organisation’s systems as secure as possible.
Disadvantages to penetration testing include the following:
- It can be labour intensive and expensive – Organisations systems are often complex. They can cover various things, from web and mobile apps to networks, containers, embedded and mobile devices, and APIs. Performing manual penetration testing on every aspect of your IT requires a comprehensive approach. It is expensive. And it can also suck up important IT resources.
- Mistakes can be costly – Penetration testing is the deliberate and planned act of breaking into your IT systems. Once the penetration tester is in, they will try to assess the damage that they can cause. It is at this point where penetration testers need to be very careful. Unintended consequences such as your servers crashing, corrupting or losing data could be expensive and potentially embarrassing if it became public knowledge.
- Testing can be seen as unethical – There are certain hacking tactics, such as phishing, that a penetration tester will probably want to use. Some argue that this is unethical since the penetration testers can only phish by attempting to deliberately fool the organisation’s employees. Many phishing victims talk about the shame that they experience for being fooled by a hacker, however this feeling can be intensified for victims conned by a hacker who their employer has hired.
FAQs
What are the main types of penetration testing?
There are five main types of penetration testing. These are external testing, internal testing, blind testing, double-blind testing and targeted testing.
What areas should you perform penetration testing on?
Penetration testing is an exercise designed to identify any vulnerabilities in your IT systems. For this reason, the test must cover all areas of your IT environment, including web apps, mobile apps, networks, cloud environments, containers, embedded devices, mobile devices, APIs, and the CI/CD pipeline.
What are the key phases of penetration testing?
There are four key phases of penetration testing; planning and reconnaissance, scanning, access, and analysis.
Is penetration testing ethical?
There is an argument that penetration testing is unethical, because it uses similar techniques to criminals. This may include enticing staff to trust an untrustworthy source. If ethics is a primary concern, consider working with a reputable technology solutions provider who can listen to your concerns and create a custom-made cyber security plan that fits your values while ensuring your systems are properly tested.
What web application attacks might a tester use to gain access to a system?
Testers can deploy various tactics to gain access to a system to uncover a target’s vulnerabilities. These include cross-site scripting, SQL injection and backdoors.
What is The OWASP Foundation?
The Open Worldwide Application Security Project (OWASP) is a nonprofit foundation. Its purpose is to improve software security. Security experts compile the OWASP Top 10 from around the world and feature the ten most critical risks at that particular time.
What is a phishing attack?
Phishing is where an attacker attempts to steal sensitive information, such as usernames, passwords, or credit card numbers, from a victim. The attacker does this by baiting the victim just as a fisherman uses bait to catch a fish. In most phishing cases, the attacker is masquerading as a reputable source with an enticing request, for example, offering a large sum of money in return for a small fee paid upfront or pretending that an account will be deactivated unless a fee is paid urgently.
Which industries perform penetration testing to keep their systems secure?
Organisations across all sectors and industries should consider conducting penetration testing to keep their sensitive data, and that of their customers, secure. In today’s modern business landscape, nearly every business, regardless of size, uses, stores, or shares sensitive information digitally. From email to financial transactions to customer databases, every area of an organisation where sensitive information is present needs to be scrutinised for vulnerabilities and potential security threats.
For many organisations, such as companies that accept online payments, penetration testing is a requirement in order to remain compliant with industry regulations.
Is penetration testing required for maintaining PCI DSS compliance?
Compliance Level 1 organisations and most compliance Level 2 organisations must conduct penetration testing in order to meet the Payment Card Industry Data Security Standard (PCI DSS).
Level 1 companies are those with more than 6 million annual card transactions, and Level 2 companies are those with 1-6 million annual card transactions. Penetration testing should be performed by a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA) at least annually, or whenever there’s been a change to the organisation’s IT infrastructure or operations.
Who should I contact about cybersecurity penetration testing?
For smaller businesses and organisations who don’t have internal IT security resources, it’s useful to work with a third-party IT security company that is qualified to perform sophisticated, thorough, and industry-specific penetration testing.
For penetration testing in the context of card payment security, penetration must be done by a Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA).
How often should penetration testing be conducted?
Certain industry regulations explicitly state how often an organisation needs to conduct penetration testing. For example, for PCI DSS compliance, companies who fall under the Level 1 and Level 2 compliance levels should run penetration tests annually or whenever a change has been made to any of their digital systems.
However, even in situations where regulations don’t require penetration testing, it’s in an organisation’s best interest to perform these tests on a routine basis.
Can penetration testing guarantee systems are and will remain secure?
No, penetration testing is highly effective at preventing security breaches, but no security solution is 100 percent foolproof. There’s always the possibility that hackers will outsmart even the most sophisticated penetration testing measures. Also, although employee training and education helps to prevent social engineering scams, the potential for humans to make mistakes remains an ongoing challenge.
In order to be as effective as possible, penetration testing should be done routinely, and the testing methods must adapt to new and emerging threats. In addition to full-scale penetration tests, ongoing monitoring helps ensure organisations are proactive about patching vulnerabilities and updating systems in response to new threats
Stay in English