What is Penetration Testing? Pen testing explained

What is penetration testing?

Penetration testing, also known as pen testing, is when an organisation arranges to conduct comprehensive simulated hacking on their applications and/or infrastructure to determine where vulnerabilities exist.

Penetration testing is designed to evaluate the likelihood of a potential hack and, crucially, it provides targeted recommendations for addressing identified vulnerabilities. The frequency and depth of pen tests should be determined by the level of risk a business aims to mitigate, as well as any compliance or regulatory requirements, such as PCI-DSS, that the company must adhere to.

What are the types of pen tests?

Types of pen tests include system-specific tests, like cloud penetration testing, social engineering pen testing, web app pen testing, wireless network pen testing, mobile device pen testing and operational technology pen testing. Here are the common pen tests conducted by Cyber Security companies:

External penetration tests

External penetration tests public-facing systems by simulating a malicious attacker on the internet. Public facing systems include servers that have public IP addresses which can be accessed by users on the internet, such as websites and email servers.

External penetration testing uses tools and methods that can detect issues such as identifying firewall misconfigurations, identification of unpatched vulnerabilities and locating and compromising administrative services and interfaces.

Internal penetration tests

Internal penetration testing simulates an internal attacker such as an employee or contractor who has access to your internal network or external intruders who have breached perimeter defences.

Closed-box pen tests

A closed-box, or black-box, pen test is when the ethical hacker is not given any systems or asset knowledge in advance of the test. Sometimes this is known as a blind test.

Open-box pen tests

An open-box, or white-box, pen test is when the ethical hacker is given internal systems information in advance, such as network diagrams and config files.

Double-blind pen tests

A double-blind pen test is when security teams and IT staff have no prior knowledge of the scheduled test. This type of pen test will also validate how teams respond under a real hacking attempt.

Who performs pen tests?

Penetration tests are typically conducted by an independent, external third party, engaged specifically for their expertise in simulating realistic cyber attacks. Depending on the scope of the test, these professionals, also known as ethical hackers, may start with limited or no prior knowledge of the organisation's systems to mimic the approach of real-world attackers, or they may be given basic information to focus their testing more precisely.

Ethical hacking

Ethical hackers possess advanced knowledge of adversarial tactics, common network and application vulnerabilities, and social engineering techniques, all aimed at identifying and exploiting security gaps to help enhance system protections. These specialists often come from a background in development and hold advanced certifications, or they may be self-taught hackers who have transitioned into professional security roles.

Choosing a pen tester

When selecting a pen testing provider, it's advisable to choose companies and individuals with extensive experience across various testing scenarios and who are certified to industry standards, such as CREST, to ensure a comprehensive and effective security assessment.

How is a typical pen test carried out?

Pen tests are typically carried out using a variety of TTPs (Tactics, Techniques, and Procedures). These could be following a specific open framework or combination of frameworks, such as OWASP’s Web Security Testing Guide, or use a proprietary internally defined process. They would also include intellectual property of the tester and/or company, which is why there can be such a variance in quality of the tests that are conducted. Typically the process to conduct a test will cover Reconnaissance, Vulnerability Detection, Exploitation, Privilege Escalation, Data Exfiltration, and Reporting and Delivery.

Penetration testing process

Throughout the process, the pen tester will use digital tools and techniques such as OS fingerprinting, network device discovery, password brute forcing, mail spoofing, web SQL injection, and backdoor installers. There may also be physical or social engineering techniques used such as impersonating contractors or piggybacking through a secure building entryway.

Once the pen tester has successfully completed all tests, there is delivery of a final report to the client indicating the results, vulnerabilities, and risks.

Penetration tests are conducted using a diverse range of Tactics, Techniques, and Procedures (TTPs), either by adhering to established frameworks like OWASP’s Web Security Testing Guide or through a proprietary methodology developed internally. The unique intellectual property brought by each tester or company often accounts for the varying quality of these tests.

The typical penetration testing moves in the following stages Reconnaissance, Vulnerability Detection, Exploitation, Privilege Escalation, Data Exfiltration, and Reporting and Delivery. During these phases, testers could deploy digital tools and techniques, including OS fingerprinting, network device discovery, password brute-forcing, email spoofing, web SQL injection, and the installation of backdoors. Additionally, testers may utilise physical or social engineering tactics, such as impersonating contractors or exploiting secure building entries.

Upon completion of all testing phases, a detailed final report is delivered to the client. This report outlines the results, identifies vulnerabilities, and assesses the associated risks, providing critical insights into the security posture of the organisation.