Penetration tests are intentional attacks on your IT system, executed to expose the weak spots in your system’s defences, including cross-site scripting, source codes, logic, and network configurations. Penetration tests give experts an understanding of the problems with the technical infrastructures that your company depends on.  

1. What types of pen testing are there?

There are three main groups of penetration testing:

Network pen tests: The most commonly ran pen test. Since networks have both internal and external access points, it is essential to run tests from both sides. 

External pen tests involve an ethical hacker (hacking on behalf of you instead of themselves), trying to break into your organisation. The test will be done off-site, as a hacker would naturally work remotely. It is done with consent from your organisation and simulates the action of a malicious hacker trying to get into your network. 

Internal pen tests are undertaken for a different purpose. The objective is the same as an external test, but the It professional doing it has a degree of existing network access. Internal tests mimic the behaviour of either a hacker once he has access to the system or an untrustworthy employee trying to further existing access. 

Read our blog post external vs internal pen-testing.

Web application pen testsWeb apps, browsers and plug-ins can house sensitive financial or personal data, so hackers are increasingly putting their efforts towards gaining access to them. This test examines the endpoint of every web application that a user might have contact with, so requires extensive time and planning from IT professionals. Web app test methods are continually evolving, as is the number of threats to them. 

Social engineering pen tests: Social engineering penetration tests identify your risk for malicious agents to exploit vulnerabilities in your workforce. Hostile forces can access your systems through deception, manipulation and unauthorised access. Social engineering techniques include phishing, dumpster diving, eavesdropping, shoulder surfing and tailgating. 

2. What is the goal of pen testing? 

There is a misconception that pen testing is a method of identifying vulnerabilities. Although the result is that they expose the risks present in your systems, pen-testing shouldn’t be an organisation’s primary method of identifying these. Penetration testing should take place after your organisation has been fortified by your (internal or external) IT team, as a way to gain assurance of your organisation’s safety. 

Some experts have compared penetration testing to a financial audit. Your financial team does their day-to-day work to track profit, loss and income, and an external group comes in to confirm that the internal team’s methods are up to scratch. 

3. How is pen testing done?

According to the National Cyber Security Centre, most tests follow a similar process: initial engagement, scoping, testing and follow up. There will be a written report and a severity rating for any risk factors that are identified. For this kind of test to be done, you should have an internal vulnerability assessment and management process. 

There are three main ways that pen testing is done:

Black box testing: In black bost testing, the client doesn’t provide the IT professional with any information about their infrastructure. They will give a URL or IP address. In some cases, they will only give the company name. 

White box testing: In a white box test, the company undertaking the pen test is provided with detailed information about the applications and infrastructure. Having extra information allows for a more detailed and extensive testing process. It is common to give architecture documentation and source codes.

Grey box testing: Grey box testing, as you might guess, is a hybrid of black and white box testing. Clients provide the testing company with snippets of information to assist in the testing process. This method is significantly more extensive than black-box testing but more cost-effective than white box testing. 

4. Is pen-testing difficult?

It can be challenging to decide on the scope of the pen test for organisations without unlimited resources. The failure to decide on your highest priorities can allow the focus of the testing to become less relevant. This can mean that significant parts of your organisation harbour critical risks and vulnerabilities. A pen test with a broader scope is likely to give your organisation less in-depth information than a test with a specific objective or area of concern. 

Pen testers and their clients often work with highly classified and sensitive information. Not a lot of information is shared, and so pen testers don’t have many resources with which to model or compare pen test of similar organisations. If data or records of previous penetration tests were kept anywhere, they would be vulnerable to fall into the hands of hackers. Companies don’t want the details of their vulnerabilities to be shared. It is, therefore, difficult for IT professionals and pen tester to have a more comprehensive understanding of what risks are out there. 

5. What does an effective penetration test consist of?

A clear strategy. 

There must be a high-level view of the risks and the impact that these risks could have on your organisation. It should be laid out clearly in writing. Members of staff from every department, and mainly non-technical staff from the department involved in the penetration test, should be able to understand it. 

A way to categorise risk

When vulnerabilities or risks arise, your IT department must be able to communicate the risks level to senior decision-makers quickly. The ability to categorise risk is especially important when something is system-critical, and a staff member needs to take action. 

A way to convey a risk’s impact

During or after a penetration test, it is essential to assess both how likely something is to happen and the impact it will have if it does. The specific impact something will have on the organisation also needs to be communicated to decision-makers. A way to measure both of these things is vital in making the penetration test effective. 

Multiple options for remedy

Knowing what’s wrong is essential, but an excellent pen test will convey exactly how you can solve the problem that has arose. These should never be generic, should never assume that the person reading has extensive knowledge, or that internal staff already have the skills to fix the issue.