You may be wondering exactly what a penetration test involves and working through the steps of a standard ‘pen test’ is a useful way of understanding how the process can benefit your business. While each pen test is specific to the systems and needs of the company being tested, there are some elements common to all pen testing approaches.
At its core, penetration testing is about simulating a real attack. The test is used to identify vulnerabilities and areas of weakness that can be exploited. Not every pen testing routine reveals a problem, but if issues are exposed, then you can take action to plug the gaps before a more malicious package arrives.
[Recommended reading: I’ve Been Hacked! 5 Things to do]
Assessment and approaches
Each pen test is different in terms of the finer details, but most are broadly similar. Typically, a firm enlists the help of an expert penetration testing and security service to attack its networks, and the two parties work out an approach to take. The company under observation reveals some information about which systems require pen testing, but keeps many details back in order to better simulate an actual external attack.
It’s then down to the penetration testing experts to get to work on exposing vulnerabilities, from elevating user access accounts, to stealing private documents. Often, a pen test won’t have any specific goals, except to go as deep into the specified system as it can and to open a back door for future hacking attempts, if possible.
[Suggested reading: Simple Steps to Stave Off Hackers from Accessing Your Computer]
Types of testing
Each pen testing firm offers its own suite of tools: NCC Group’s penetration testing package, for example, covers infrastructure penetration testing, application security, remote access attempts, wireless security and mobile security testing. Social engineering pen testing is also covered, where attempts are made to get existing users to part with their login credentials under false pretenses.
Once the types and areas of testing have been established, the pen testing routines themselves are run, typically through a combination of automated scanning tools and expert human interventions. Many different angles are covered in a standard pen test, which may involve a DDoS (Distributed Denial of Service) attack as well.
[Read also: 7 Ways You Are Vulnerable to XSS Attacks]
Test reports
The reporting and clean-up stage is the most important part of a pen test. It’s at this stage that the findings of the pen testing routines are used to patch any security vulnerabilities that have been discovered — the external pen testing firm usually works in tandem with internal IT security teams to deal with the issues that have been identified.
Both internal and external networks are tested and repaired in a pen test, so whether hackers want to gain access to staff emails or the public-facing website, the company in question can secure itself in advance.
The ultimate aim of any penetration testing process is to simulate an actual hacking attempt and take any appropriate action. As real hacks are launched on a frequent basis, pen testing needs to be a continual, pro-active process. By setting up your own bespoke pen test protection, you can minimize the risk of a security breach in the future.
[Now read: Is Hacking An Inside Job?]
[Image via Google Images]
What is an average price for a “pen test”. I employ 18 people, and we have around 25 desktop computers along with 4 servers on site. I worry that we are vulnerable to an attack but don’t know if I can afford the expertise.