Penetration Testing has become a vital part of a modern vulnerability management programme. Just like in today’s Hollywood thrillers, industrialised hackers worldwide are trying to breach network defences - not just of national banks, Government organisations, or big corporate brands, but also of any company, of all sizes, with easily discovered and exploited security vulnerabilities.
A Penetration Test (Pen Test) simulates the behaviour of a real cyber criminal. It will uncover your systems' critical security issues, how these vulnerabilities were exploited, and the steps required to fix them (before they are exploited for real).
However, there are several different types of Pen Tests, each with a different viewpoint and objective, so it is important to know the differences so you know which type of test meets your requirements and objectives.
While there are numerous sub-categories and variations, the different types of Penetration Tests can generally be divided into four main groups. Let’s take a look:
Most people typically think of an external network Penetration Test when talking about Pen Testing.
An ‘external’ Pen Test involves an ethical hacker trying to break into an organisation’s network, across the Internet. This means it’s done off-site (remotely, as a hacker would be), using controlled and agreed-upon ethical hacking techniques to accurately simulate a targeted attack from malicious parties on your network.
An external Pen Test probes your perimeter defences, effectively testing how your externally-facing network infrastructure responds to threats and where potential weaknesses and vulnerabilities lie.
Network devices, servers, and software packages represent a constant challenge to security and a frequent opportunity for attack. Network Penetration Testing allows you to find your most exposed security vulnerabilities before they can be exploited.
As with all Pen Testing methodologies, a hacker will perform an intelligence-gathering phase from publicly available sources to identify opportunities and vulnerabilities to exploit. This would include conducting a vulnerability scan to identify potential weaknesses to exploit, e.g. misconfigurations, weak passwords, unpatched software, open ports, etc.
An internal Penetration Test, by contrast, simulates the actions a hacker might take once access has been gained to a network, those of a malicious actor, or those of a disgruntled employee with access that he or she is looking to escalate.
The end target is ultimately the same as an external Penetration Test (above), but the starting point already assumes a degree of network access
An internal network Pen Test is typically performed from the perspective of both an authenticated and non-authenticated user to ensure that the network is critically assessed for both the potential exploit of a rogue internal user and an unauthorised attack.
With GDPR in mind, you will also be checking the potential for users to access and leak any confidential, sensitive or personally identifiable information (PII).
The number of web apps and websites is growing rapidly. Many provide easy access to sensitive user or financial data, making them a highly prized target for cybercriminals.
A web application penetration test, looks for any security issues that might have arisen as a result of insecure development, design or coding, to identify potential vulnerabilities in your websites and web applications, including CRM, extranets and internally developed programmes - which could lead to exposure of personal data, credit card information etc.
From web-based portals to online shopping and banking, organisations build their businesses directly online. Today, as these systems grow increasingly powerful, they also scale in complexity, meaning the range of exploitable vulnerabilities is rising.
Internet-based web applications are, by their nature, globally accessible and easily probed, or manipulated – from anywhere, at any time – creating some of the most pressing issues facing any organisation.
Social engineering is commonly seen as the modern frontier in IT security, and certainly your greatest risk. Your users.
A social engineering Pen Test will help you assess and understand the susceptibility within your organisation to human manipulation via email, phone, media drops, physical access, social media mining etc.
Social engineering techniques are wide-ranging, from the very simple to highly personalised, sophisticated attacks that can be almost impossible to detect - but all can have devastating effects.
By manipulating those closest to the target—your employees—these attackers use simple but highly effective psychological tactics to lure your employees into granting privileged network access, sending a sensitive file, or paying a supposedly urgent invoice.
Rather than finding exotic backdoor vulnerabilities and resorting to high-tech tools and strategies, social engineering attacks organisations through their front door.
In practice, hackers (and ethical hackers) will often use social engineering tactics as a first step to gain a foothold in the network, from which they can elevate user privileges—it is often easier to exploit users’ weaknesses than to find a network or software vulnerability.
Social engineering Pen Testing can reveal a lot about your employees' cyber security awareness and compliance with existing security policies.
So there it is: we’ve gone through the four main types of Penetration Tests, all of which provide a rigorous ‘real-world’ test of your existing security controls.
In practice, a Pen Tester might use several techniques; social engineering is common in each type of test we’ve outlined.
But importantly, an individual Pen Test should be tailored to meet your objectives, as there is no ‘one size fits all'—following different strategies and methodologies to identify possible points of weakness and compromise.
Once completed, you should expect an ‘easy to understand’ risk-based report, suitable for both technical & non-technical staff, with details of the steps the Pen Tester took to breach the network/defences - plus the necessary remediation or next steps.