What is penetration testing?
January 24, 2024 · 15 min read
January 24, 2024 · 15 min read
Penetration testing is an important exercise for many organisations. In fact, some organisations are required to perform regular penetration tests in order to comply with security regulations such as PCI DSS.
In this article, we will explain what penetration testing is and how it works. We will also explain why many organisations do it, and why some choose not to.
What is penetration testing?
Penetration testing is the deliberate, “white-hat,” hacking of IT systems in order to identify vulnerabilities and assess the effectiveness of an organisation’s security controls. By simulating real-world scenarios, such as DDoS attacks, phishing scams, and social engineering, penetration testing allows security experts to pinpoint areas that require greater security, with the ultimate goal of safeguarding against genuine breaches in the future.
It is possible to use online vulnerability tools to assess your systems security. These will generate automatic reports and are often referred to as ‘automatic’ testing, whereas penetration testing performed by a person is often referred to as ‘manual’ testing.
There are a variety of ways in which penetration testers can evaluate an IT system’s security, and we will cover these shortly. It is important to note that penetration testers use similar approaches to attackers, as they seek to identify system weaknesses. This enables them to evaluate the business risks and identify appropriate solutions, to help mitigate the threat of a system breach.
What are the objectives of penetration testing?
The overarching goal of penetration testing is simple: to protect IT systems, safeguard data, and prevent all potential security breaches. To meet this primary goal, penetration testing has the following more specific objectives:
Identify security weak points
It is through thorough penetration testing that organisations can discover the vulnerabilities in their current operational systems—from their software configurations to their third-party relationships to their network infrastructure. By pinpointing these weaknesses, they’re able to develop specific, tailored solutions rather than relying on generic, one-size-fits-all security measures.
Evaluate existing security controls
Part of penetration testing is determining whether an organisation's existing security measures stand up to the latest, most advanced hacking techniques. It’s a useful way of showing whether security measures are working as they should be, or whether they need to be improved or updated to protect against new and evolving threats.
Test incident response and enhance preparedness
Although the hope is to always prevent security breaches before they happen, it’s also important for organisations to have a plan in place in the event a breach does occur. Penetration testing allows organisations to practice their emergency response protocols so that they can be prepared for any future incidents.
Ensure compliance with industry regulations
A secondary objective of penetration testing is to ensure an organisation is in compliance with industry regulations, such as the Payment Card Industry Data Security Standard (PCI DSS), the General Data Protection Regulation (GDPR), and the Health Insurance Portability and Accountability Act (HIPPA). Penetration testing will help determine whether an organisation meets industry standards—plus, the testing itself can be a regulatory requirement (as is the case with PCI DSS).
What type of threats does penetration testing help prevent?
In these cases, hackers are usually seeking sensitive data (e.g. credit card details, personal identification information) that they can use for their own financial gain (e.g. credit card data theft, identify theft, etc.).
Good to know: The most common cybersecurity threat organisations face is unauthorised access and data theft from bad actors outside of the organisation.
External threats include:
Social engineering is any manipulation that exploits human psychology in order to gain access to sensitive information or systems. Examples include:
A subset of social engineering, phishing is the attempt to trick someone into revealing sensitive information through fake emails or websites, usually by impersonating a business they trust (e.g. bank, software company, etc.).
Distributed Denial of Service (DDoS) attacks are designed to overwhelm systems with traffic, leading systems to go down and services to be disrupted.
Malware, such as viruses, trojans, and ransomware, can be used to disrupt IT systems or gain unauthorised access to sensitive data. It can be introduced through downloadable email attachments, compromised software programs, infected websites, or unapproved USB sticks or external hard drives.
Brute force hacking
Brute force attacks are a method of hacking passwords or other sensitive login credentials (e.g. encryption keys) through a mass-scale trial-and-error approach. Hackers use automated tools to test thousands of different credentials until they find the right one and can gain unauthorised access.
Zero-day (0day) exploits
Zero-day exploits are when hackers take advantage of vulnerabilities in software programs before developers have time to fix them. By attacking on the same day the weakness is discovered (day zero), hackers are able to access systems before the software can be patched and updated.
Another cybersecurity concern is when the threat is coming from within the organisation itself. Although it can be unsettling to consider that employees and third-party partners may have malicious intentions, the reality is that addressing internal threats is crucial to IT security, and this type of threat must be considered when conducting penetration testing. Also, internal security threats aren’t always intentional; they can stem from inadvertent actions and negligence.
Common internal threats include:
Advanced Persistent Threats (APTs)
Probably the most dangerous cybersecurity threat is the potential for routine and long-term infiltration by sophisticated hackers who steal data while remaining undetected for large stretches of time. These types of digital espionage are known as Advanced Persistent Threats (APTs), and they’re often conducted by a nation-state or state-sponsored group with the goal of mining data, disrupting systems, or simply accessing sensitive information for political purposes.
What are the benefits of penetration testing?
Cybersecurity risks are becoming more common and more severe. Long-term impacts can include damage to the organisation’s brand reputation, a loss of customer trust, loss of competitive advantage, reduction in credit rating, and increase in cyber insurance premiums.
How does penetration testing work?
Planning and scope
Before initiating a penetration test, the team or company performing the test should outline the scope of the test, list the test objectives, and identify which systems and networks will be assessed (and to what extent). It’s important for the testing team communicate clearly and openly with stakeholders within the industry (e.g. IT teams, operations, human resources, etc.) in order to thoroughly identify all potentially vulnerable areas of the business.
Common systems that require penetration testing include:
Although the individual or team conducting the penetration testing should be familiar with all areas of the business, they should not disclose to internal teams when and how the testing will take place. Penetration testing works best when it mimics real-world scenarios and therefore no advanced notice should be given.
Accessing, scanning, and observation
After the initial planning phase, the individual or team performing the assessment will enter the active testing phase. This involves gaining access to the organisation’s systems through the use of common scams and hacking techniques. They will scan systems searching for weaknesses that can be exploited to gain access to sensitive data.
Common techniques involved in penetration testing include:
Reporting, analysis, and fixes
The final step of the penetration testing process is to compile the results, analyse the findings, and take steps to resolve any issues that are uncovered. Penetration testing experts typically provide comprehensive reports detailing identified vulnerabilities, the threat levels, and their list of recommended solutions.
Following penetration testing, organisations are often advised to do the following:
- Enhance employee awareness of IT security, particularly social engineering scams, through more comprehensive and routine training programs.
- Run updates and add security patches to address any vulnerabilities found in software programs, applications, databases, and other IT systems.
- Develop an incident response plan, or a more thorough incident response plan, to follow in the event of a security breach.
- Set up ongoing monitoring and testing in order to adapt as needed to new security threats.
What are the pros and cons of penetration testing?
There are several advantages to penetration testing:
Disadvantages to penetration testing include the following:
What are the main types of penetration testing?
There are five main types of penetration testing. These are external testing, internal testing, blind testing, double-blind testing and targeted testing.
What areas should you perform penetration testing on?
Penetration testing is an exercise designed to identify any vulnerabilities in your IT systems. For this reason, the test must cover all areas of your IT environment, including web apps, mobile apps, networks, cloud environments, containers, embedded devices, mobile devices, APIs, and the CI/CD pipeline.
What are the key phases of penetration testing?
There are four key phases of penetration testing; planning and reconnaissance, scanning, access, and analysis.
Is penetration testing ethical?
There is an argument that penetration testing is unethical, because it uses similar techniques to criminals. This may include enticing staff to trust an untrustworthy source. If ethics is a primary concern, consider working with a reputable technology solutions provider who can listen to your concerns and create a custom-made cyber security plan that fits your values while ensuring your systems are properly tested.
What web application attacks might a tester use to gain access to a system?
Testers can deploy various tactics to gain access to a system to uncover a target’s vulnerabilities. These include cross-site scripting, SQL injection and backdoors.
What is The OWASP Foundation?
The Open Worldwide Application Security Project (OWASP) is a nonprofit foundation. Its purpose is to improve software security. Security experts compile the OWASP Top 10 from around the world and feature the ten most critical risks at that particular time.
What is a phishing attack?
Phishing is where an attacker attempts to steal sensitive information, such as usernames, passwords, or credit card numbers, from a victim. The attacker does this by baiting the victim just as a fisherman uses bait to catch a fish. In most phishing cases, the attacker is masquerading as a reputable source with an enticing request, for example, offering a large sum of money in return for a small fee paid upfront or pretending that an account will be deactivated unless a fee is paid urgently.
Which industries perform penetration testing to keep their systems secure?
Organisations across all sectors and industries should consider conducting penetration testing to keep their sensitive data, and that of their customers, secure. In today’s modern business landscape, nearly every business, regardless of size, uses, stores, or shares sensitive information digitally. From email to financial transactions to customer databases, every area of an organisation where sensitive information is present needs to be scrutinised for vulnerabilities and potential security threats.
For many organisations, such as companies that accept online payments, penetration testing is a requirement in order to remain compliant with industry regulations.
Is penetration testing required for maintaining PCI DSS compliance?
Compliance Level 1 organisations and most compliance Level 2 organisations must conduct penetration testing in order to meet the Payment Card Industry Data Security Standard (PCI DSS).
Level 1 companies are those with more than 6 million annual card transactions, and Level 2 companies are those with 1-6 million annual card transactions. Penetration testing should be performed by a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA) at least annually, or whenever there’s been a change to the organisation’s IT infrastructure or operations.
Who should I contact about cybersecurity penetration testing?
For smaller businesses and organisations who don’t have internal IT security resources, it’s useful to work with a third-party IT security company that is qualified to perform sophisticated, thorough, and industry-specific penetration testing.
For penetration testing in the context of card payment security, penetration must be done by a Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA).
How often should penetration testing be conducted?
Certain industry regulations explicitly state how often an organisation needs to conduct penetration testing. For example, for PCI DSS compliance, companies who fall under the Level 1 and Level 2 compliance levels should run penetration tests annually or whenever a change has been made to any of their digital systems.
However, even in situations where regulations don’t require penetration testing, it’s in an organisation’s best interest to perform these tests on a routine basis.
Can penetration testing guarantee systems are and will remain secure?
No, penetration testing is highly effective at preventing security breaches, but no security solution is 100 percent foolproof. There’s always the possibility that hackers will outsmart even the most sophisticated penetration testing measures. Also, although employee training and education helps to prevent social engineering scams, the potential for humans to make mistakes remains an ongoing challenge.
In order to be as effective as possible, penetration testing should be done routinely, and the testing methods must adapt to new and emerging threats. In addition to full-scale penetration tests, ongoing monitoring helps ensure organisations are proactive about patching vulnerabilities and updating systems in response to new threats