Posted by
Share this article
Penetration testing, or pen testing, is a type of cybersecurity testing that simulates hacking attempts on an organisation. Pen testing is designed to validate systems security and highlight vulnerabilities that need attention.
What is penetration testing?
Penetration testing, also known as pen testing, is when an organisation arranges to conduct comprehensive simulated hacking on their applications and/or infrastructure to determine where vulnerabilities exist.
Penetration testing is designed to evaluate the likelihood of a potential hack and, crucially, it provides targeted recommendations for addressing identified vulnerabilities. The frequency and depth of pen tests should be determined by the level of risk a business aims to mitigate, as well as any compliance or regulatory requirements, such as PCI-DSS, that the company must adhere to.
What are the types of pen tests?
Types of pen tests include system-specific tests, like cloud penetration testing, social engineering pen testing, web app pen testing, wireless network pen testing, mobile device pen testing and operational technology pen testing. Here are the common pen tests conducted by Cyber Security companies:
External penetration tests
External penetration tests public-facing systems by simulating a malicious attacker on the internet. Public facing systems include servers that have public IP addresses which can be accessed by users on the internet, such as websites and email servers.
External penetration testing uses tools and methods that can detect issues such as identifying firewall misconfigurations, identification of unpatched vulnerabilities and locating and compromising administrative services and interfaces.
Internal penetration tests
Internal penetration testing simulates an internal attacker such as an employee or contractor who has access to your internal network or external intruders who have breached perimeter defences.
Closed-box pen tests
A closed-box, or black-box, pen test is when the ethical hacker is not given any systems or asset knowledge in advance of the test. Sometimes this is known as a blind test.
Open-box pen tests
An open-box, or white-box, pen test is when the ethical hacker is given internal systems information in advance, such as network diagrams and config files.
Double-blind pen tests
A double-blind pen test is when security teams and IT staff have no prior knowledge of the scheduled test. This type of pen test will also validate how teams respond under a real hacking attempt.
Who performs pen tests?
Penetration tests are typically conducted by an independent, external third party, engaged specifically for their expertise in simulating realistic cyber attacks. Depending on the scope of the test, these professionals, also known as ethical hackers, may start with limited or no prior knowledge of the organisation's systems to mimic the approach of real-world attackers, or they may be given basic information to focus their testing more precisely.
Ethical hacking
Ethical hackers possess advanced knowledge of adversarial tactics, common network and application vulnerabilities, and social engineering techniques, all aimed at identifying and exploiting security gaps to help enhance system protections. These specialists often come from a background in development and hold advanced certifications, or they may be self-taught hackers who have transitioned into professional security roles.
Choosing a pen tester
When selecting a pen testing provider, it's advisable to choose companies and individuals with extensive experience across various testing scenarios and who are certified to industry standards, such as CREST, to ensure a comprehensive and effective security assessment.
How is a typical pen test carried out?
Pen tests are typically carried out using a variety of TTPs (Tactics, Techniques, and Procedures). These could be following a specific open framework or combination of frameworks, such as OWASP’s Web Security Testing Guide, or use a proprietary internally defined process. They would also include intellectual property of the tester and/or company, which is why there can be such a variance in quality of the tests that are conducted. Typically the process to conduct a test will cover Reconnaissance, Vulnerability Detection, Exploitation, Privilege Escalation, Data Exfiltration, and Reporting and Delivery.
Penetration testing process
Throughout the process, the pen tester will use digital tools and techniques such as OS fingerprinting, network device discovery, password brute forcing, mail spoofing, web SQL injection, and backdoor installers. There may also be physical or social engineering techniques used such as impersonating contractors or piggybacking through a secure building entryway.
Once the pen tester has successfully completed all tests, there is delivery of a final report to the client indicating the results, vulnerabilities, and risks.
Penetration tests are conducted using a diverse range of Tactics, Techniques, and Procedures (TTPs), either by adhering to established frameworks like OWASP’s Web Security Testing Guide or through a proprietary methodology developed internally. The unique intellectual property brought by each tester or company often accounts for the varying quality of these tests.
The typical penetration testing moves in the following stages Reconnaissance, Vulnerability Detection, Exploitation, Privilege Escalation, Data Exfiltration, and Reporting and Delivery. During these phases, testers could deploy digital tools and techniques, including OS fingerprinting, network device discovery, password brute-forcing, email spoofing, web SQL injection, and the installation of backdoors. Additionally, testers may utilise physical or social engineering tactics, such as impersonating contractors or exploiting secure building entries.
Upon completion of all testing phases, a detailed final report is delivered to the client. This report outlines the results, identifies vulnerabilities, and assesses the associated risks, providing critical insights into the security posture of the organisation.
Understanding the Outcomes and Next Steps After a Penetration Test
The concluding phase of penetration testing focuses on the comprehensive reporting of findings. The report details a list of identified vulnerabilities alongside recommended remediations or alternative compensating controls to mitigate the risk of a successful attack. The organisation should then implement these remediations as deemed appropriate. It is crucial that the report not only presents technical findings but also translates these into terms that are readily understandable by non-technical stakeholders. This ensures that the business implications of the risks identified are clearly communicated and effectively addressed.
Written by Arni Mar Hardarson
Contact us
Speak with a Tesserent
Security Specialist
Tesserent is a full-service cybersecurity and secure cloud services provider, partnering with clients from all industries and all levels of government. Let’s talk.