What is a penetration test? If you’re struggling to understand the intricacies of penetration testing, you’re not alone. To those unfamiliar with the world of cybersecurity and ethical hacking, a penetration test can be a very foreign concept.
Learn more about penetration testing, why it's so critical in cybersecurity, and how penetration testers play a role in exposing network security vulnerabilities.
Also known as a “pen testing” or “white-hat hacking,” a penetration test is a simulated cyberattack against a computer system to find exploitable security vulnerabilities. Penetration testing helps organizations manage risk, protect clients from data breaches, and increase business continuity. This testing is essential for maintaining compliance in highly regulated industries such as banking and healthcare.
Basically, pen testing helps businesses answer the question, “Is my data easy to steal?” When it comes to protecting valuable data from cyberattacks, knowing the answer to that is critical. Data breaches are costly. In fact, IBM estimates that U.S. companies lose an average of $7.35 million per data breach!
Protecting against data breaches through pen testing requires a thorough approach. Penetration tests usually have five stages:
1. Planning. The pen tester determines the goals for the test and does preliminary system reconnaissance. This is the information-gathering stage of the test. It often involves social engineering to gather the data needed to carry out the attack.
2. Scanning. Next, the tester analyzes or “scans” the system to determine how it will respond to their attack. They often use technical tools to help in this process. They perform vulnerability scanning and look for gateways to gain access.
3. Breaching. Here, the tester uses cross-site scripting, SQL injection, backdoors, or other strategies to pinpoint where they can bypass the firewall and break into the system. They then breach the system, take control of the network or devices and begin extracting the data.
4. Burrowing. Then, the penetration tester sees how long they can stay in the system, what data is compromised, and how much deeper they can burrow into it. They attempt to maintain access as long as possible by creating persistence, which entails planting rootkits and installing backdoors.
5. Analyzing. The tester creates a detailed configuration review and reports on the results. They often simulate how a hacker would cover their tracks to eliminate evidence that a cyberattack happened. At the end of the test, the ethical hacker gathers the information they obtained and takes note of where they found exploitable vulnerabilities.
Outside of network security testing, pen tests also challenge an organization’s incident response capabilities—i.e., how prepared they are to respond to an attack. The logic here is that the more practice companies get, the better they’ll cope with a real incident.
Overall, penetration tests can be broken into three types. These three types of penetration testing are black-box, gray-box, and white-box assessments. Let’s take a deeper look at each one.
Think of a black-box assessment as the initial penetration test. In this type of test, the hacker is given no information about the internal workings or architecture of the target system. They’re then tasked with hacking into the system armed with only an outsider’s knowledge.
In a black-box test, the ethical hacker or penetration tester is put in the shoes of an average hacker with the aim of creating a map of the target network based only on their own observations and expertise. The main goal of a black-box assessment is to find any easily exploitable vulnerabilities. It’s the first step, or first level, of penetration testing.
A gray-box assessment simulates an attack from a hacker who has at least some knowledge of the internal security system. Often, gray-box testers play the part of someone with access and privileges within a system. They are provided basic information regarding the system's intricacies, architecture, documentation, and design.
The benefits of a gray-box test include a more efficient and targeted assessment of the security of a network than a black-box assessment. In black-box tests, a hacker spends a lot of time just searching for any vulnerabilities. A gray-box test simulates a hacker who knows much more about the specific data they're seeking and has a pretty good understanding of where to find it. In a case like this, added security is needed. Therefore, gray-box assessments can be critical to protecting against advanced threats.
White-box testing is also known as “logic-driven testing,” “auxiliary testing,” “open-box testing,” and “clear-box testing.” It’s essentially the opposite of black-box testing in that hackers are given total access to all source code and architecture documentation. It’s a very time-intensive type of testing because it means the pen tester has to sort through a large set of data to find weak points and vulnerabilities.
While white-box assessment is indeed time-consuming, it is also the most thorough form of penetration testing. It’s commonly accepted as the best form of penetration testing as it reveals both external and internal vulnerabilities instead of just one or the other. White-box penetration testers have a level of knowledge similar to a developer. Working together, developers and white-box pen testers can ensure a system is secure.
This leads to the different categories of testing that you might run as an ethical hacker. Five general services meet varying needs for web applications or software:
An external penetration test targets company assets that are visible to external parties, such as websites, web applications, domain name servers (DNS), and emails. The goal of these tests is to see if hackers can gain access to and extract data from external systems. This type of penetration testing measures a system’s vulnerability to outside attackers.
An internal penetration test simulates an attack by a malicious insider—someone with access to systems behind a company’s firewall. This pen testing method can also be used to screen employees on their vulnerability to external social engineering or phishing attacks in which their credentials can be stolen with an eye toward mitigation of potential risks.
In a blind test, your role as a pen tester would be to target an enterprise using very limited information—hence the term “blind.” In a blind test, a pen-tester acts as a real hacker tasked with using only publicly accessible information to gain access to a system. While the tester is blind, in this type of test the target organization is generally not. Rather, the target is told what the pen-tester will attack, how they’ll attack, and when. A blind test provides a good level of vulnerability assessment, though it is not quite as informative as a double-blind test which will be discussed next.
Also called “zero-knowledge testing,” a double-blind test refers to a penetration test in which neither the pen tester nor the target is informed of the scope. Think of it like a fire drill in school where neither students nor teachers know about the event. In short, both the tester and the target are blind to the test. In this situation, security personnel have no advance knowledge of a simulated attack. This stops them from shoring up their defenses before an attempted breach and provides a more realistic picture as to what areas need to be addressed. Vulnerability is clear inside this penetration testing method because security personnel aren't ready for pen testers to hack, so they have to rely on their processes and strategies.
Lastly, in targeted testing, both the tester and security team work together—keeping each other apprised of their movements. This gives the entire pen test team invaluable real-time feedback from a hacker’s point of view. This type of penetration testing is less about vulnerability and more about understanding the best information security strategies to implement.
Penetration testing is very technical in practice. But what does it look like in action? What are some examples of penetration testing? Here are some penetration tests you may have seen.
- Phishing email simulations. A fake threat is sent out to internal company email addresses to test whether employees will recognize the threat as a scam. Phishing hackers often disguise themselves as an internal employee asking for specific information or “confirming” a log-in.
- Social engineering attack simulations. A threat actor tries to steal data such as account credentials or network log-ins. Social engineering encompasses many types of attacks, but often they happen over the phone.
- Ransomware attack simulations. These attacks involve users being prompted to download a certain software (many times disguised as an antivirus software) that infects a computer or network and locks system administrators out until they pay a ransom.
In short, penetration testing is an intricate and highly-specialized discipline. It’s also a practice that’s critical to the security of a business. We live in a digital world where more and more data is being stored online each day. As more and more sensitive data is available, the number of cybercriminals and cyberattacks continues to rise. This means that in coming years the need for penetration testers will only continue to grow.
If you’re interested in becoming a penetration tester, this guide provides more details about the degree, certifications, and skills you need to become a pen tester.