Pen-testing, or penetration testing, is a form of ethical hacking. It’s used to intentionally cyberattack computer systems, networks, websites, and applications by white-hat hackers.
Carrying out these simulated attacks helps organisations and businesses identify security weaknesses in their infrastructure and applications, to help develop preventative strategies to keep up with the ever-evolving cyber threat landscape.
The objective is to find weaknesses before the bad guys do.
Common pen-testing strategies include:
- External testing: This involves attacking an organization's network perimeter from outside the organization's systems, e.g., the extranet and internet.
- Internal testing: Performed from within the organization’s environment, internal testing attempts to understand what could happen if the network perimeter were successfully penetrated, or what an authorized user could do to penetrate specific information resources within the organization's network.
- Blind testing: In this case, the tester tries to simulate the actions of a real hacker. The testing team has little or no information about the organization but instead must rely on publicly available information (such as corporate website, domain name registry, etc.) to gather information about the target and conduct its penetration tests.
- Double blind testing: In this exercise, only a few people within the organization are made aware of the testing. The IT and security staff are not notified or informed beforehand, and as such they are "blind" to the planned testing activities. Double-blind testing helps test an organization's security monitoring and incident identification processes, as well as its escalation and response procedures.
- Targeted testing: Also known as the lights-turned-on approach, target testing involves both IT and penetration testing teams. Testing activities and information concerning the target and the network design are known going in. Targeted tests require less time and effort than a blind test, but typically don’t provide as complete a picture of an organization's security vulnerabilities and response capabilities as other testing strategies.
Although pen-testing is useful, it can be limited in its effect. Many organisations have hundreds of people working for them with a multitude of applications being used throughout the business making it difficult to know where to focus the testing. What should they pen-test specifically? The potential scope can be almost endless.
One of the downsides to pen-testing is that it doesn’t consider the full range of penetration techniques that a real-world adversary would use to try to break into your systems, including in-person and digital social engineering and phishing are all common methods used by hackers.
That’s why we often recommend our clients consider red-teaming, instead of (or preferably in addition to) straight pen-testing.
Want to know more about red-teaming and how it can help protect your organisation?
> Learn more in this episode of our vodcast, Cybeers
