We deploy penetration testing to identify security vulnerabilities in an application. Also known as pen testing, it sees the tester completing an authorised, simulated attack to exploit weaknesses. The objective is to gain access to sensitive data in the manner of a hacker. Indeed, penetration testers are often described as ‘ethical hackers’. This is an important tool in the battle against cyber criminals, and one that our experts have become well-versed in. We therefore thought it would be useful to share some information on it with you. Today’s blog then is called: ‘Cybersecurity 101: Penetration testing’.
Penetration testing & some common vulnerabilities
Penetration tests reveal whether or not a system’s existing defences are robust enough to prevent breaches in security. A test report is then produced containing the actions you should take to mitigate the risk of hacking. Vulnerabilities are caused by a variety of different reasons. Some of the most common include:
- Human error
- Errors in design / development
- Poor password security protocols
The software testing experts at eTestware have often voiced their dismay at the fact that software is never bug-free. That is due to the fact that mistakes are invariably made during the design and development phases. The third point listed here is also related to people’s tendency to err. Passwords must be strong and just complex enough so that they cannot be guessed. They must not be shared and periodical changes are highly recommended. When these points are ignored, cyber criminals can prosper.
Testing types
You can read about Black / Grey / White box testing and Red Team testing here. Whilst these are fairly comprehensive, other terms you may hear when discussing testing types include:
- Social engineering test
- Web application test
- Wireless security test
The first listed above describes a test usually carried out on employees and helpdesks. Testers will make contact and encourage people to reveal sensitive information such as passwords. You must ensure that you have solid security policies in place, which are known to all employees. Crucially, you must ensure that the policies are adhered to. The second type involves tests which effectively measure the vulnerability level of web apps and software programs. The third unsurprisingly does the very same but for wi-fi networks and hotspots.
Testing techniques
There are essentially three techniques deployed in penetration testing:
- Manual
- Automated
- Manual and automated
Automated techniques provide efficiency and can save time. However, it is necessary to adopt manual testing for objectives such as social engineering. There are many vulnerabilities which then also require a human element to be discovered. Therefore, the third point listed above is used most frequently in penetration testing.
A common pen testing process can be laid out thus:
- Gather data
- Conduct a vulnerability assessment
- Exploit the system
- Analysis and reporting
Pen testing tools
There are many tools that can be used for pen testing. We advise that you engage with professionals for your own testing needs. Some of the tools available are as follows:
- Acunetix WVS
- Intruder
Once again, you must deploy accredited testing experts in order to achieve optimal results – and we can help.
That is all for ‘Cybersecurity 101: Penetration testing’ – what are your experiences of pen testing? Let us know in the comments below.
CRIBB Cyber Security is recognised by CREST, IASME and we are proud to hold numerous other accreditations. In addition to pen testing, our data protection experts can provide guidance on vulnerability scanning, certification, governance and more. Get in touch today to take your first steps on theICEway…