Penetration testing, also referred to as ethical hacking or pen testing, is the act of testing a computer system for security weaknesses which could be exploited by an attacker. The key word here is ‘testing’. Unlike other forms of measuring a system’s resilience, such as audits and vulnerability assessments, a penetration test involves employing the same methods and techniques that real hackers use, only in a non-destructive way. You could think of it as hiring an actual burglar to attempt to break into your house, but rather than steal your belongings, they take a picture and tell you how they got in.
But why on earth would you want to employ someone to hack into your systems? Well, whether you like it or not, cyber criminals are going to try. So you might as well have someone who is on your side hack you first. That way they can tell you how they did it and you can fix those vulnerabilities before the cyber criminals find them. Penetration testing can be used to not only validate your system’s resilience to cyber attack, but may also be necessary for compliance and regulation, such as with PCI DSS, HIPAA, SOC2, and ISO27001.
Penetration testing can also be broken down into several types, depending on the amount of information the penetration tester is given and the system being tested. First we will look at the different types of penetration testing distinguished by the amount of information given to the tester. These are black box, grey box, and white box testing.
The tester starts with little information other than an IP address and logins. They won’t be told what programming languages the software is built with, the type of database used, etc., and must do all reconnaissance themselves. This gives a more accurate representation of what an attacker is able to achieve with the information an outsider can gather.
In between black box and white box testing. The tester is given partial knowledge of the internal structure of the application, such as information about some of the logic, networks, database used, etc.
The tester is given a lot of information about the system, such as network maps and the code itself. The testers therefore spend less time doing reconnaissance and have a better understanding of the internals of the system.
Next, we will look at the different types of penetration testing differentiated by the type of system being tested.
Infrastructure / External Network
This involves testing of the network’s perimeter, including externally-facing assets such as servers, firewalls, and switches. Think of it as an attacker outside of a network trying to get in. It makes a lot of sense that companies would want to test this as networks that are accessible from the internet (which most are) could have people from all over the globe trying to hack them.
As the name suggests, an internal penetration test is conducted from within the network. This type of testing simulates an attacker who managed to breach the external network, has physically plugged a device into an ethernet port within the network, or a malicious insider – which happens more often than people realise. This will give insight into how easily an attacker can traverse the network, what assets they’re able to access, and if they’re able to elevate their privileges (such as by exploiting misconfigurations to gain read/write permissions to files they shouldn’t).
Website / Web Application
Given the dynamic nature of websites these days, they offer a plethora of vectors which attackers can target. Attackers might try things like uploading malicious files or stealing user data by sending malicious code through forms (‘forms’ being parts of the website that accept user input, such as login forms or user comments). This is typically the most labour intensive type of penetration test.
Mobile apps are simply software running on phones (iOS and Android), and like all software, could contain vulnerabilities. Penetration testing of mobile applications includes testing of things such as how data is transmitted and stored, how sessions are managed, and flaws in the apps’ security protocol.
As you might have guessed, Wi-Fi penetration testing involves searching for vulnerabilities in wireless networks. These vulnerabilities can exist due to things such as misconfigurations, weak protocols, outdated software, and the use of default or insecure passwords.
The methods we’ve discussed so far are all technical, but cyber criminals aren’t restricted to purely digital means. Social Engineering Penetration Testing is by identifying vulnerabilities with the people and process such as calling and asking the staff for their password, or sending them a phishing email and tricking them into providing their password. The scope of a Penetration Test of Social engineering could be one specific social engineering attack such as phishing or a combination.
Physical penetration tests involve searching for weaknesses in physical controls such as locks, doors, cameras, or sensors, as well as psychological manipulation (referred to as social engineering). To do this, testers might pretend to be an employee who has forgotten their access card and ask another staff member to give them access to a restricted area. They could also try things like crowbar to open the door or break the lock, pick the lock, tailgating (following an authorised individual into a secured premise), and badge cloning (copying authentication data from an RFID badge’s microchip to another badge).
Hopefully you now have a better understanding of the different types of penetration testing. It’s also important that you choose a good company to do the testing. Certifications such as CREST can give confidence that the company has skilled employees and proper processes in place to protect your data (see our article on CREST certification). Vertex Cyber Security is a CREST ANZ certified provider of penetration testing services.