Deployed in order to discover security vulnerabilities, penetration testing is a vital tool in cyber security. It is also known as pen testing, and involves authorised, simulated attacks by testers often called ‘ethical hackers’. This is so because the key objective of penetration testing is to access sensitive data through hacking techniques. Today we look at this crucial aspect of IT security in more depth.
Types of penetration testing
The key types include the following:
Black box testing
Testers receive zero information on the infrastructure they will be testing. They are given a URL and in some cases, the company name. They then need to act as an external attacker, such as a hacker, assessing the environment and uncovering risks.
Grey box testing
A combination of black and white box testing techniques, where the tester receives select information to help. This more focused test typically takes less time than black box testing and is ideal for assessing web applications used to access data.
White box testing
Detailed information is offered along with access to documents and source code. Testers are often also then given access through different credential, allowing for the delivery of stronger assurances.
Red team testing
A targeted pen test designed to assess an organisation’s detect and response capabilities. The red team poses as a malicious actor to access sensitive data via many different methods. They aim to avoid detection by being as quiet as possible. Red team testing is not carried out to identify multiple vulnerabilities, rather it is used to uncover those vulnerabilities that they can exploit. Typically, the methods involved include social engineering.
Top Tip: Use CRIBB for your pen testing requirements
CRIBB Cyber Security joins eTestware in making up theICEway. A lot of our efforts cross over but they are an official certification body and specialise in data protection, governance and more. They have a robust penetration testing service recognised by CREST, and as part of theICEway, have access to global resources. The same is true of ourselves, and we can help you with a wealth of other testing solutions.
Pen testing tools & techniques
You must ensure that your efforts are completed by, or supported by, accredited testing experts. Only then will you achieve the right results, but there are a number of tools that can be used. These include Acunetix WVS and Intruder, though it must again be said that you should seek professional help if using them.
The three key techniques in pen testing are manual, automated, and a combination of the two. Automated techniques are efficient and can save time, but manual testing must be deployed when dealing with social engineering (for example). This is a fairly typical process to adopt:
- Collect data
- Carry out a vulnerability assessment
- Exploit the system
- Analyse and report back on your findings
A pen test lets you know if your system’s existing defences are strong enough to prevent breaches. Once the test has been completed, you will receive a report with actions to take to mitigate the risk of hacking (for example). Common vulnerabilities include, but are not limited to:
- Human error
- Design and development error
- A lack of or poor password security protocols
eTestware is part of theICEway ecosystem of companies. To deliver a complete, end-to-end digital solution, we pool our resources together with ICE and CRIBB Cyber Security.