Close up of security professional showing need for penetration testing

What Is Penetration Testing and Why Do You Need It?

A penetration test is an intense level of breach simulation, meant to prepare an organization for most types of attack. While lower-level vulnerability scans simply run tests for known and published vulnerabilities against your network; during penetration testing, a skilled security professional (or a security team) acts like a hacker and tries to come up with novel and creative ways to get into your systems.

While regular patching and updating of hardware and software to close off known vulnerabilities is an extremely important security element, it does not guarantee that the network is secure. Penetration testing is a holistic approach that tests other possible attack routes and security vulnerabilities: misconfigurations, internally developed applications and sometimes social engineering of employees (just to name a few). It also helps to reduce the usually high “false positive” count that an automated vulnerability scan will tend to produce.

A penetration test is an intense level of breach simulation, meant to prepare an organization for most types of attack.

The penetration testing process can be broken down into a series of basic stages. The first stage consists of planning and gathering intelligence on the target network, with the penetration tester solidifying clear goals for the outcome of the test. The penetration tester then scans the network to determine what the most viable routes of cyber attack are, with a particular focus on web applications and how they function while running.

The next step is the attempts to gain access to the network, the nature of which can vary depending on the established goals of the test. For example, if the network is running its own home-grown applications that need to be evaluated the pen testers will probably try a variety of common attacks (such as SQL injection and cross-site scripting) to see how effective they are. At this point the employees may also be tested if they are included in the scope of the exercise; this could include attempts such as phishing emails and social engineering calls. If the network is breached successfully, the final step is to simulate an attacker’s attempt to maintain long-term access.

The penetration test concludes with a written report assessing the overall security posture with the vulnerabilities that were found, any sensitive data that was accessed and the amount of time that the tester was able to remain in the system before being detected.

Security professionals conducting penetration testing

Who should penetration test, and how often should they do it? Security testing of this sort is beneficial to nearly every type of business with an online presence, even small businesses. This is especially beneficial for any small business that is protecting sensitive information (or has billing systems that attackers might exploit).

As to how often, security professionals tend to suggest that it be done at least once a year with a once-monthly schedule more appropriate for high value targets that experience frequent attacks or may be more prone to developing security weaknesses. Doing it after major changes to networks and systems is also highly recommended.

What are the different types of penetration testing?

Penetrating testing should be done at least once a year with a once-monthly schedule more appropriate for high value targets

Though penetration tests generally attempt to find as many vulnerabilities as possible with as many methods as possible, there are different types that put the focus on different areas of the network, aspects of the organization’s security or expected attack conditions. This helps to control the cost of penetration testing, as trying absolutely everything possible would take a prohibitive amount of time.

So what are these different categories of penetration testing? Here are some of the most common categories you will encounter.

First, consider the level of information provided to the penetration testing team. Approaches include:

  • Blind: Blind testing provides the penetration testers with only the name of the organization to be attacked, and no further information. This method is meant to be the most realistic simulation of an external attack, and allows company IT security personnel to monitor the attacker’s actions in real time as they take place. This can also be called a “closed box” or “single blind” test.
  • Covert: With this type of test, the company’s IT and security team is not made aware that penetration testing is happening. They are expected to assume that the intrusion attempts they see are real. These arrangements can be legally tricky, but can be hashed out by spelling out the full scope of action for the pen testers in writing beforehand and by having a clear contract that spells out the terms in place. Sometimes also called a “double blind” test.
  • Black-box: With this approach, penetration testers are provided with the specific targets of the exercise. Allowing the team to focus their efforts on a specific set of targets and to simulate an attacker without authorized access to the network and systems.
  • Grey-box: These types of tests provide the penetration testing team with some sort of information about the company’s IT defenses ahead of time and test user accounts. This simulates an attacker that is approaching from the outside but has some internal knowledge that is not available to the general public or an authorized user attempting to exploit the target systems.

Man holding glasses against backdrop of computer screen showing different types of penetration testing

Penetration testing can also simulate attacks from the public internet or as someone with access to the internal protected network:

  • External: External testing focuses on the public-facing assets of the company, but is more rigorous than a typical vulnerability scan. The penetration testers will probe the organization’s websites, email servers, domain name servers, web applications and anything else they can reach without company credentials.
  • Internal: An internal examination starts the pen tester behind the external defenses, allowing them to get straight to probing the organization’s network. This is most often simulating an attack that begins with an employee being phished successfully or a member of the organization “going rogue” and attempting to escalate their level of access to sensitive information.

And lastly, penetration tests can focus on specific layers of the organization’s technology environment:

  • Network: A pen test of this type focuses on the network components: hosts, routers, switches and network devices. The testers will be looking for improperly-configured devices, known hardware, operating system and common software exploits and weak passwords.
  • Application: As the name implies, this form of penetration testing focuses specifically on the web, mobile and other client-server software applications. It will usually hit them with an array of expected attacks such as cross-site scripting and request forgery, injection flaws, and exploitation of problematic direct object references and session management issues.

Why penetration testing is important

Cyber attacks are only increasing in number and becoming more sophisticated. They are also no longer the province of experienced hackers or sophisticated criminal actors. Less skilled hackers have created a nice sideline for themselves in licensing the use of automated tools and “hacking in a box” products. This means millions of predators out there constantly scanning the internet for vulnerabilities, scooping up low-hanging fruit that yesterday’s hackers might not have noticed or concerned themselves with.

Penetration testing does a much better job of testing elements that a surface scan cannot really reach or assess properly

Penetration testing can be economical as compared to vulnerability scanning when the removal of “false positives” to chase down is factored in. It also does a much better job of testing the inner layer of organizational defenses, elements that a surface scan cannot really reach or assess properly. Elements of the inner layer that simple vulnerability scans are usually inadequate to address include security controls governing handoffs from one area of the network to another, any internal applications that the company has developed on its own, and the conduct and security hygiene of employees.

Penetration testing of web applications is particularly important given that very many of them have vulnerabilities, and these vulnerabilities can often only be discovered by internal testing. Penetration testers use a combination of open source and proprietary tools to batter web apps with a variety of attacks and suss out exactly what their exploitable vulnerabilities are.

Penetration testing may seem like a luxury risk management expense at first look, but it can prove to be worth more than its weight in heading off certain heavy costs: data breach fines and lawsuits, meeting compliance requirements that include security assessments, reputational damage and the possibility of confidential and proprietary data getting into the hands of competitors.