CYBER SECURITY TERMINOLOGY EXPLAINED

What Is Penetration Testing?

Penetration testing (sometimes called pen testing) is designed to identify vulnerabilities within your networks, applications and systems that represent a real-world threat to your organisational data and platforms, that a hacker may be able to exploit to gain access to your critical data and platforms.

Think of it as a bank hiring someone to try and break into their vault and steal their money. Although the bank will have its own security systems in place, if the burglar succeeds then the bank will learn valuable information about any gaps in their security that they need to close to strengthen their security.

Stages of a Pen Test

Reconnaissance

Most pen tests should begin with a stage of active and passive reconnaissance. This is an information gathering exercise, designed to discover what information can be found about your organisation without directly interacting with your systems (passive) or with a minimal level of interaction that would not be seen as suspicious (active).

Initial Access

The tester would then move onto attempting to breach the target systems using security tools and their own skill and knowledge, simulating the process that a real-world hacker may follow to attempt to gain access to the target systems.

Maintain Access

If successful, the tester would then try to identify whether any vulnerabilities could be exploited to help maintain access to the system. Depending on the type of assessment, the tester may also try to scan the environment for additional ways to attack the target systems and attempt to gain access to sensitive information or high value systems.

Analysis and Debrief

Finally, the tester would remove all traces of their testing and compile a thorough report of what vulnerabilities were identified and how they were exploited and how you can remediate them so that you can strengthen your cyber security posture and reduce the risk of a real breach occurring.

Types of Penetration Testing

There are several different types of pen testing available to you, and the approach should be determined based on your technical setup and key risk factors.

Infrastructure Testing

Test your internal networks and internet-facing infrastructure for vulnerabilities that may allow attackers to gain access to business-critical servers and data. Infrastructure testing typically looks at service availability, misconfiguration, and device patching.

Web Application Testing

When a web application forms a critical part of your business plan, regular testing of that application is critical to prevent attackers from being able to abuse your application to steal data or attack your customers on the platform. A web application pen test will focus on identifying vulnerabilities defined in the OSWAP top 10 such as poor input validation, logic flaws, and session management weaknesses.

Red Team Testing

These are often seen as the closest replication of a real-world threat actor attempting to breach your organisation. Red team assessments will sometimes have a specific goal to achieve (or a flag to capture) and will use every resource available to them to attempt to achieve it without alerting the organisation to their efforts. These can run for weeks as the testers attempt to find a way to achieve their goal, which can often involve writing custom scripts and tools to exploit flaws and bypass detection.

CYBER SECURITY UPDATES

Sign up for the latest advice and information about keeping your business cyber secure.