Penetration testing is an important exercise for many organisations. In fact, some organisations are required to perform regular penetration tests in order to comply with security regulations such as PCI DSS.
In this article, we will explain what penetration testing is and how it works. We will also explain why many organisations do it, and why some choose not to.
What is penetration testing?
Penetration testing is the deliberate, “white-hat,” hacking of IT systems in order to identify vulnerabilities and assess the effectiveness of an organisation’s security controls. By simulating real-world scenarios, such as DDoS attacks, phishing scams, and social engineering, penetration testing allows security experts to pinpoint areas that require greater security, with the ultimate goal of safeguarding against genuine breaches in the future.
It is possible to use online vulnerability tools to assess your systems security. These will generate automatic reports and are often referred to as ‘automatic’ testing, whereas penetration testing performed by a person is often referred to as ‘manual’ testing.
There are a variety of ways in which penetration testers can evaluate an IT system’s security, and we will cover these shortly. It is important to note that penetration testers use similar approaches to attackers, as they seek to identify system weaknesses. This enables them to evaluate the business risks and identify appropriate solutions, to help mitigate the threat of a system breach.
What are the objectives of penetration testing?
The overarching goal of penetration testing is simple: to protect IT systems, safeguard data, and prevent all potential security breaches. To meet this primary goal, penetration testing has the following more specific objectives:
Identify security weak points
It is through thorough penetration testing that organisations can discover the vulnerabilities in their current operational systems—from their software configurations to their third-party relationships to their network infrastructure. By pinpointing these weaknesses, they’re able to develop specific, tailored solutions rather than relying on generic, one-size-fits-all security measures.
Evaluate existing security controls
Part of penetration testing is determining whether an organisation's existing security measures stand up to the latest, most advanced hacking techniques. It’s a useful way of showing whether security measures are working as they should be, or whether they need to be improved or updated to protect against new and evolving threats.
Test incident response and enhance preparedness
Although the hope is to always prevent security breaches before they happen, it’s also important for organisations to have a plan in place in the event a breach does occur. Penetration testing allows organisations to practice their emergency response protocols so that they can be prepared for any future incidents.
Ensure compliance with industry regulations
A secondary objective of penetration testing is to ensure an organisation is in compliance with industry regulations, such as the Payment Card Industry Data Security Standard (PCI DSS), the General Data Protection Regulation (GDPR), and the Health Insurance Portability and Accountability Act (HIPPA). Penetration testing will help determine whether an organisation meets industry standards—plus, the testing itself can be a regulatory requirement (as is the case with PCI DSS).
What type of threats does penetration testing help prevent?
External threats
In these cases, hackers are usually seeking sensitive data (e.g. credit card details, personal identification information) that they can use for their own financial gain (e.g. credit card data theft, identify theft, etc.).
Good to know: The most common cybersecurity threat organisations face is unauthorised access and data theft from bad actors outside of the organisation.
External threats include:
Social engineering
Social engineering is any manipulation that exploits human psychology in order to gain access to sensitive information or systems. Examples include:
Phishing scams
A subset of social engineering, phishing is the attempt to trick someone into revealing sensitive information through fake emails or websites, usually by impersonating a business they trust (e.g. bank, software company, etc.).
DDoS attacks
Distributed Denial of Service (DDoS) attacks are designed to overwhelm systems with traffic, leading systems to go down and services to be disrupted.
Malware attacks
Malware, such as viruses, trojans, and ransomware, can be used to disrupt IT systems or gain unauthorised access to sensitive data. It can be introduced through downloadable email attachments, compromised software programs, infected websites, or unapproved USB sticks or external hard drives.
Brute force hacking
Brute force attacks are a method of hacking passwords or other sensitive login credentials (e.g. encryption keys) through a mass-scale trial-and-error approach. Hackers use automated tools to test thousands of different credentials until they find the right one and can gain unauthorised access.
Zero-day (0day) exploits
Zero-day exploits are when hackers take advantage of vulnerabilities in software programs before developers have time to fix them. By attacking on the same day the weakness is discovered (day zero), hackers are able to access systems before the software can be patched and updated.
Internal threats
Another cybersecurity concern is when the threat is coming from within the organisation itself. Although it can be unsettling to consider that employees and third-party partners may have malicious intentions, the reality is that addressing internal threats is crucial to IT security, and this type of threat must be considered when conducting penetration testing. Also, internal security threats aren’t always intentional; they can stem from inadvertent actions and negligence.
Common internal threats include:
Advanced Persistent Threats (APTs)
Probably the most dangerous cybersecurity threat is the potential for routine and long-term infiltration by sophisticated hackers who steal data while remaining undetected for large stretches of time. These types of digital espionage are known as Advanced Persistent Threats (APTs), and they’re often conducted by a nation-state or state-sponsored group with the goal of mining data, disrupting systems, or simply accessing sensitive information for political purposes.
What are the benefits of penetration testing?
Cybersecurity risks are becoming more common and more severe. Long-term impacts can include damage to the organisation’s brand reputation, a loss of customer trust, loss of competitive advantage, reduction in credit rating, and increase in cyber insurance premiums.
How does penetration testing work?
Planning and scope
Before initiating a penetration test, the team or company performing the test should outline the scope of the test, list the test objectives, and identify which systems and networks will be assessed (and to what extent). It’s important for the testing team communicate clearly and openly with stakeholders within the industry (e.g. IT teams, operations, human resources, etc.) in order to thoroughly identify all potentially vulnerable areas of the business.
Common systems that require penetration testing include:
Although the individual or team conducting the penetration testing should be familiar with all areas of the business, they should not disclose to internal teams when and how the testing will take place. Penetration testing works best when it mimics real-world scenarios and therefore no advanced notice should be given.
Accessing, scanning, and observation
After the initial planning phase, the individual or team performing the assessment will enter the active testing phase. This involves gaining access to the organisation’s systems through the use of common scams and hacking techniques. They will scan systems searching for weaknesses that can be exploited to gain access to sensitive data.
Common techniques involved in penetration testing include:
Reporting, analysis, and fixes
The final step of the penetration testing process is to compile the results, analyse the findings, and take steps to resolve any issues that are uncovered. Penetration testing experts typically provide comprehensive reports detailing identified vulnerabilities, the threat levels, and their list of recommended solutions.
Following penetration testing, organisations are often advised to do the following:
- Enhance employee awareness of IT security, particularly social engineering scams, through more comprehensive and routine training programs.
- Run updates and add security patches to address any vulnerabilities found in software programs, applications, databases, and other IT systems.
- Develop an incident response plan, or a more thorough incident response plan, to follow in the event of a security breach.
- Set up ongoing monitoring and testing in order to adapt as needed to new security threats.
What are the pros and cons of penetration testing?
There are several advantages to penetration testing:
Disadvantages to penetration testing include the following: