Also known as a “pen test”, this is an authorised, simulated attack on a computer system. The process typically identifies the target systems and a particular goal, then attains it through various means. The penetration testers at CRIBB can help with any format of test depending on your requirements: Internal, external, website or advanced office perimeter access.
As part of theICEway, we also have full access to IT expertise and resources based around the world.
What is penetration testing?
It is a process that sees someone taking on the role of a hacker. They then attempt to compromise or gain unauthorised access to a network or application. Essentially, a qualified professional uses automated tools and manual processes to detect vulnerabilities and cyber security risks.
A penetration test is deployed by companies and organisations seeking an overview of their security levels. It provides assurances that they will be able to withstand the efforts of malicious hackers. Pen tests are a crucial part of any robust security strategy and are a mandatory requirement of some compliance schemes.
What is the main purpose of penetration testing?
To identify security weaknesses that malicious parties might be able to take advantage of. When these weaknesses are detected, the people responsible for maintaining the systems or software in question can then take action to eliminate or reduce the weaknesses.
What are the different types of penetration test?
Common, ethical hacking penetration testing types include black-, grey- and white-box. The amount of information provided before a test is carried out can have a significant bearing upon the outcome. It is therefore crucial to select the right type in accordance with your objectives.
In a black box test, the client does not provide information about their infrastructure other than a URL. In some cases they only provide the company name. The tester must then assess the environment as if they were an external attacker with zero-to-little information about the infrastructure or application logic. Black box penetration tests provide a simulation of how an attacker such as an internet hacker could present risk to the environment.
A grey box test is a blend of black box testing techniques and white box testing techniques. In grey box testing, clients provide snippets of information to help with the testing procedures. This results in a more focused test than in black box testing as well as a reduced timeline for the testing engagement. Grey box penetration tests provide an ideal approach for assessing web applications that allow users to log-in and access data.
In a white box test, detailed information is provided on the applications and infrastructure. It is common to provide access to architecture documents and to application source code. It is also usual for access to be given via a range of different credentials within the environment. This strategy will deliver stronger assurance of the application and infrastructure logic. It provides a simulation of how an attacker with information could present risk to the environment.
A Red Team Assessment is similar to a penetration test in many ways but is more targeted. The goal is not to find as many vulnerabilities as possible, but to test the organisation’s detection and response capabilities. The red team will try to access sensitive information in any way possible, as quietly as possible, by emulating a malicious actor targeting attacks and looking to avoid detection. This assessment does not look for multiple vulnerabilities but for those vulnerabilities that will achieve their goals. Methods used include social engineering. A Red Team Assessment is not for everyone and should only be requested by organisations with mature security programmes and high-level security requirements.