The term penetration testing—or pen testing for short—gets thrown around frequently in security circles. In essence, a penetration test is when a company hires a contractor to infiltrate their systems just like a real hacker would.
By doing the same thing as a hacker, penetration testers can discover real-world security flaws in their targets’ infrastructure. Generally, nobody other than top security executives even knows that their company is under attack. Because of this, pen testing finds real vulnerabilities in a realistic way.
In this article, we’ll have a look at the penetration testing process and why it’s so useful. Plus, we’ll look at what makes a penetration test much better than automatic scanning tools.
What exactly does a pen test involve?
When performing a penetration test, a pen tester uses a variety of techniques—tailored to the target organization being tested—to find potential security issues. Most penetration testing is focused on finding network security issues, but some pen testers also perform physical security testing. It all depends on the scope laid out by the company.
Although the pen tester is on the “good side”, they don’t shy away from using techniques that are normally employed by malicious actors. The entire point of hiring a tester is to uncover real-world problems that the company can’t find themselves. Additionally, the pen tester is usually an outside consultant, so they don’t have any internal knowledge.
Penetration testing stages
- Before they get started, the company and pen tester sign a contract. The pen tester can’t be held responsible for damages they might cause, but they will attempt to prevent any issues to the best of their abilities. They don’t look at confidential data or otherwise intentionally damage the target organization.
- After agreeing on the terms for the penetration test, the pen tester starts reconnaissance. They look for any publicly available information about their target (called OSINT, or open-source intelligence, in the security community). They might run automated tools to find out what attack surfaces their target has.
- Next, the pen tester looks at what threats pose the greatest concern to the target. This helps them prioritize their efforts towards finding higher-value security issues.
- As they collect info about their target, the penetration tester constantly looks for vulnerabilities. The pen tester might try to find issues in areas that people working at the company wouldn’t think of. Often, problems lie in long-forgotten systems and websites.
- After compiling a list of potential vulnerabilities, pen testers get to work trying to exploit them. Exploiting security issues requires in-depth knowledge of all kinds of technologies, so pen testers have to have enough experience and skill at researching.
- Once the pen tester has successfully exploited a few vulnerabilities (or run out of time), they perform some analysis. This allows them to prepare a report with recommendations for their target. At the conclusion of the penetration testing process, the pen tester delivers a presentation with recommendations.
Why is penetration testing necessary?
The biggest reason that pen testing is effective is that testers are external to the target company. They don’t possess internal knowledge that gives them an advantage over real hackers. Conversely, they are new to the company’s systems, so they look in unconventional places. For these reasons, external pen testers give companies an accurate picture of their security.
Some advantages of pen testing over internal testing are the following:
- Get a more realistic view of your company’s security.
- Practice responding to a real-world threat.
- Learn hackers’ methods and beef up security around areas that are frequently targeted.
- Get information that helps your company optimize its spending towards the highest-risk areas.
How often should I perform a penetration test?
Every company has a different budget for IT security. Although penetration testing is hugely helpful, pen testers are expensive. That said, a cyberattack costs companies far more than hiring a penetration tester.
Big companies with big budgets might be able to afford a biannual pen test. Others might only get a pen test after making large changes to their IT infrastructure.
Regardless of your budget, here are a few times when getting a penetration test is worthwhile:
- After discovering an attack on your network—even something as seemingly insignificant as an adware installation. Small attacks are a symptom of a larger issue. A small problem might even be a red herring while a much bigger attack unfolds.
- After upgrading or installing a company intranet. Intranets often house sensitive data; keeping them secure is a must.
- After moving offices, mergers and acquisitions, or going through other big IT changes. Big changes frequently create opportunities for cyberattacks.
What should I do after a penetration test?
The deliverable of a penetration test is a presentation or document full of specific issues and suggestions to prevent them. Pen testers don’t just find vulnerabilities and report them. Their recommendations are often more wide-ranging and can help stop similar problems in the future as well.
After hearing the penetration tester’s recommendations, the process isn’t over. Your company’s job is to both implement the fixes for the issues the pen tester reported and make larger changes to prevent future problems.
The exact steps to take after a pen test differ from organization to organization, of course. No matter what, listening to the recommendations and making real changes is a necessity for the pen test to be valuable.
Penetration testing tools
Pen testing tools are usually specialized towards one task. Some assist in network reconnaissance, while others make attacking websites easier. A few of the most popular and useful tools are listed below:
- Nmap: Explore networks and find vulnerable devices. Nmap is a port-scanning software on steroids, with the ability to determine lots of info about devices and networks.
- Wireshark: Capture and understand network traffic. Wireshark lets you intercept the raw network packets exchanged by devices and find out how they’re communicating.
- Metasploit: Automate vulnerability exploitation. From social engineering to complex server bugs, Metasploit provides a framework for easy, automated exploitation.
- Aircrack-ng: Crack and monitor Wi-Fi networks. Aircrack can capture wireless packets and stage a variety of different attacks on Wi-Fi networks.
- Burp Suite: Find bugs in web applications. Burp Suite goes between your browser and the web app you’re attacking, allowing you to inspect and modify requests.
Although lots of tools make pen testing easier, you have to have enough experience to get the most from them. Professional penetration testers don’t just know how to operate their tools—they have years of experience with security, networking, and programming too.
Penetration tests vs. vulnerability scans: what’s the difference?
Some tools offer automatic vulnerability scans. They go through a list of common vulnerabilities, testing for each one with premade test cases automatically. Scanners can uncover lots of low-hanging fruit with ease.
Vulnerability scans can be a great first step in securing a network or website. But they’re just that—a first step. Scanners don’t have the human intelligence required to dig deeper than simple vulnerabilities. Real pen testers—and by extension, malicious hackers—have intuition and ingenuity that automated software lacks.