ADVERTISEMENT

What is penetration testing?

what is penetration testing featured
Jack Wherry
Oct 13, 2020 Updated: 18 November 2021 3 min read

What exactly does a pen test involve?

Penetration testing stages

  • Before they get started, the company and pen tester sign a contract. The pen tester can’t be held responsible for damages they might cause, but they will attempt to prevent any issues to the best of their abilities. They don’t look at confidential data or otherwise intentionally damage the target organization.
  • After agreeing on the terms for the penetration test, the pen tester starts reconnaissance. They look for any publicly available information about their target (called OSINT, or open-source intelligence, in the security community). They might run automated tools to find out what attack surfaces their target has.
  • Next, the pen tester looks at what threats pose the greatest concern to the target. This helps them prioritize their efforts towards finding higher-value security issues.
  • As they collect info about their target, the penetration tester constantly looks for vulnerabilities. The pen tester might try to find issues in areas that people working at the company wouldn’t think of. Often, problems lie in long-forgotten systems and websites.
  • After compiling a list of potential vulnerabilities, pen testers get to work trying to exploit them. Exploiting security issues requires in-depth knowledge of all kinds of technologies, so pen testers have to have enough experience and skill at researching.
  • Once the pen tester has successfully exploited a few vulnerabilities (or run out of time), they perform some analysis. This allows them to prepare a report with recommendations for their target. At the conclusion of the penetration testing process, the pen tester delivers a presentation with recommendations.

Why is penetration testing necessary?

  • Get a more realistic view of your company’s security.
  • Practice responding to a real-world threat.
  • Learn hackers’ methods and beef up security around areas that are frequently targeted.
  • Get information that helps your company optimize its spending towards the highest-risk areas.

How often should I perform a penetration test?

ADVERTISEMENT
  • After discovering an attack on your network—even something as seemingly insignificant as an adware installation. Small attacks are a symptom of a larger issue. A small problem might even be a red herring while a much bigger attack unfolds.
  • After upgrading or installing a company intranet. Intranets often house sensitive data; keeping them secure is a must.
  • After moving offices, mergers and acquisitions, or going through other big IT changes. Big changes frequently create opportunities for cyberattacks.

What should I do after a penetration test?

Penetration testing tools

  • Nmap: Explore networks and find vulnerable devices. Nmap is a port-scanning software on steroids, with the ability to determine lots of info about devices and networks.
  • Wireshark: Capture and understand network traffic. Wireshark lets you intercept the raw network packets exchanged by devices and find out how they’re communicating.
  • Metasploit: Automate vulnerability exploitation. From social engineering to complex server bugs, Metasploit provides a framework for easy, automated exploitation.
  • Aircrack-ng: Crack and monitor Wi-Fi networks. Aircrack can capture wireless packets and stage a variety of different attacks on Wi-Fi networks.
  • Burp Suite: Find bugs in web applications. Burp Suite goes between your browser and the web app you’re attacking, allowing you to inspect and modify requests.

Penetration tests vs. vulnerability scans: what’s the difference?

ADVERTISEMENT