One of our core IT security products, penetration tests are incredibly useful when evaluating a computer system’s level of security. We have produced articles on pen testing before but today we present you with a penetration testing definition.
Penetration testing is also frequently known as pen testing or even ethical hacking. In essence, it is a technique whereby IT infrastructure and software are systematically probed for vulnerabilities. It can also be used to detect weaknesses in people through social testing, and to evaluate physical security measures.
It is also known as ethical hacking due to the fact that it is a controlled form of hacking. Organisations deploy attackers to find and test weaknesses that could be exploited, such as flaws in hardware or software and improper configuration.
It is important to note that penetration testing is expensive and by no means a ‘magic bullet’. Rather, it is an important tool used for assessing IT system security. It should be deployed carefully and properly, with a keen emphasis on planning and preparation. To get the most out of penetration testing, organisations must consider building routine tests into their overall security measures.
Why penetration testing is important (at a glance)
Regular pen testing can be invaluable, helping organisations to:
- Detect flaws in security which can then be resolved efficiently
- Identify any missing controls
- Monitor the effectiveness of existing security controls
- Maintain compliance with relevant privacy and security laws and regulations, including the UK GDPR / GDPR (General Data Protection Regulation) and DPA (Data Protection Act) 2018
- Maintain compliance with other standards such as the PCI DSS (Payment Card Industry Data Security Standard)
- Generate assurance in stakeholders and customers
Pen testing types
- Web application penetration testing
- Internal network penetration testing
- External network penetration testing
- Social engineering penetration testing
- Wireless network penetration testing
- Red team penetration testing
Aside from the final point above, these pen test types are fairly self-explanatory*. Read team testing involves the adoption of ‘real-world attacker’ actions to gain access to networks and systems.
Effective penetration testing
These tests are used to validate whether or not an organisation’s IT systems are vulnerable to known issues when the test is carried out. Due to the costs involved, many organisations schedule penetration tests on an annual basis. Therefore, vulnerabilities could well be present for a long time ahead of being detected if there are no other methods for validating security.
A penetration test should only be performed by a qualified and experienced member of staff. As they are not procedural, the quality of a pen test is often determined by the abilities of the tester(s) involved. The NCSC therefore recommends that non-governmental organisations use testers qualified under certification schemes such as CREST, Tiger scheme and Cyber Scheme.
This penetration testing definition is designed to provide a brief insight into what is a very important tool in the battle to achieve a robust security strategy. The experts at CRIBB are CREST certified and have years of experience in this discipline. If you need help, we’re ready, willing and able.
*Self-explanatory to those in the know perhaps, but maybe not to anybody else! In which case, we invite you to reach out to our team of experts.