What is penetration testing: Definition, processes and methods
Penetration testing (otherwise known as pen testing) is a security exercise where cyber-security experts run tests across an IT ecosystem to find and exploit vulnerabilities that may exist.
More than half of all data breaches are caused by malicious activity, according to IBM’s 2021 Cost of a Data Breach Report. What’s more, each attack costs an average of US$4.24 million (GBP£3.16 million) and takes 287 days to identify and resolve.
As ominous as these statistics sound, don’t panic. Many mid-market and enterprise-level businesses are turning to continuous security testing strategies to make sure that loopholes and vulnerabilities are discovered and dealt with quickly. These risks can appear at any time, triggered by things like a software update or the discovery of a new vulnerability. This means that infrequent pen testing leave them undiscovered for a long time.
Penetration testing is largely a manual process but automation can help, especially when dealing with changing attack surfaces such as apps or websites. For example, Claranet’s Continuous Security Testing (CST) service constantly scans your web applications and IT infrastructure for vulnerabilities.
But what exactly is penetration testing? And how does it help your business reduce the risk of a data breach? Here’s what you need to know.
What is penetration testing?
The purpose of penetration testing is to simulate a possible attack and identify weak spots that potential attackers can take advantage of. By discovering these vulnerabilities, pen testers can compile a list of issues and companies can implement the necessary security measures needed to protect sensitive data against real-world threats.
Penetration testing stages
To successfully perform a penetration test, there are six fundamental steps to follow. These include:
1. Scoping and planning
The first stage of a penetration test is planning and reconnaissance. It’s important to define the scope and goals of your test, including which systems you intend to investigate and the testing methods you plan to use (see below for more on testing methods).
At this stage, testers begin scanning the network and mapping the application to understand the context of the application or network, and potential risks that might exist within the system. For example, this could be identifying software in use across an organisation's infrastructure, or building a sitemap of the application's content and the fingerprinting the underlying technology in use.
3. Manual testing
Pen testers will use the results of the reconnaissance stage and their own experience to assess applications individually.
After a vulnerability is identified, testers will attempt to gain access to restricted systems and networks. For example, they might look for backdoors and weak authentication.
Once identified, testers will try to take advantage of these vulnerabilities to gain wider access, including root or admin access. They will also try the same process on other systems in the network and they may chain them with new attacks on different vulnerabilities to maximise their access.
4. Maintaining access to a network
Entering into a network is only the beginning. To access truly sensitive information, threats need to roam undetected within a network for long periods of time. This is a kind of extended penetration test, sometimes called ‘red teaming’ or adversary simulation. Pen testers also re-run tests to confirm that remediation efforts have been successful.
At this stage in the process, testers will mimic persistent threats to understand whether or not they can avoid detection and gain access to highly sensitive data.
5. Analysing the test
After a penetration test is complete, security professionals will analyse and report on the results of a test. This report includes:
A list of the security vulnerabilities identified.
An assessment by the penetration testing team that outlines the level of risk created by each vulnerability.
Suggestions about ways to resolve vulnerabilities.
An in-depth run down that paints a holistic picture of a business’s overall IT security.
General advice on how to patch vulnerabilities and strengthen a business’s network.
Armed with this report, cyber-security professionals can begin preventing real-world attacks and begin securing sensitive information.
Penetration testing types
There are many different types of penetration tests to perform across a variety of networks that a business maintains.
Here are a few different types of penetration testing:
Black box: The pen tester has no prior knowledge of the target(s). They identify and test everything based on their own reconnaissance scans.
White box: The tester is given full access to everything related to the target, source code, network diagrams, credentials and any piece of information that could help.
Grey-box: This is the most common pen testing scenario. The testers are given only limited information, the minimum necessary, so that they can skip the time-consuming reconnaissance and start testing against key targets.
The type of pen test is also informed by the target, whether it’s network infrastructure, a custom application, a website or web application etc. Testers will adopt different strategies, for example, to test a public-facing website or to see what systems are vulnerable once an attacker has already gained privileged network access.
For all penetration tests, it’s especially important that testers have a defined scope and written authorisation for the test to happen. This helps them avoid any potential problems with legal teams and law enforcement.
Frequently asked questions about penetration testing
What is the most effective type of penetration testing?
The most effective type of testing is the white-box testing and the most common (and cost effective) is grey-box testing.
Who performs penetration tests?
Many businesses turn to external consultants to conduct these tests. Companies are often required to get external testing to meet regulatory requirements, but an external team brings also specialist skills and a wider portfolio of services.
What systems should be tested during a penetration test?
Penetration testing usually involves the attempted breaching of multiple IT systems and infrastructure. Often, this will include:
1. Web and mobile applications
3. Internal applications
6. Cloud and on-premise IT infrastructure
7. Wireless networks
Why do I need to do penetration testing?
Much like a financial audit or an employee performance review, it’s vital that your business’s critical cogs are turning as smoothly as possible. And in today’s landscape of remote work, secure IT infrastructure is more important than ever before.
Your internal IT security team likely monitors and stops threats across your networks every day. However, a penetration test conducted by external consultants ensures that your internal processes and protocols are up to date, efficient, and effective enough to shut down threats before they become a problem.
What should a penetration test tell you?
To protect your business, you should conduct penetration tests on a regular basis. Within each report, you’ll be able to:
Identify vulnerabilities in your security systems so you can deploy adequate measures to stop them.
Ensure that your existing preventative security measures are up to scratch.
Test and secure new software solutions and applications.
Identify and eradicate existing threats that may have gone unnoticed.
Remain compliant with data regulations including the GDPR (General Data Protection Regulation) and DPA (Data Protection Act).
Build stakeholder and shareholder trust and ensure all sensitive data is protected and secure.
Beyond the details, the most important takeaway from any pen test is a better understanding of the overall risk if all the potential vulnerabilities were to be exploited.
Automate your penetration testing
Penetration testing has one purpose, and one purpose only: to protect a business’s data from possible real-world cyber-attacks.
Pen testing gives you an essential point-in-time risk assessment. But, in our experience, companies need to go beyond that. Continuous Security Testing adds a recurring scan where vulnerabilities are verified by a tester before being reported. It’s the difference between having a security consultant check your doors and windows and installing an alarm system with a central station to respond to alerts. You need both to stay safe.