April 12, 2018
Penetration testing has become a vital part of a modern vulnerability management programme. Just like in today’s Hollywood thrillers, industrialised hackers around the world are trying to breach network defences – not just of national banks, Government organisations, or big corporate brands, but also of any company – of all sizes – with easily discovered and exploited security vulnerabilities.
> Hacking is Now Industrialised
Simulating the behaviour of a real cyber criminal, a penetration test (pen test) will uncover the critical security issues of your systems, how these vulnerabilities were exploited – as well as steps required to fix them (before they are exploited for real).
But there are several different types of Pen Test, each with a different viewpoint, and objective so it is important to know the differences – so you know which type of test meets your requirements and objectives.
What Are the Different Types of Pen Test?
While there are numerous sub-categories and variations, generally, the different types of penetration test can be divided into four main groups. Let’s take a look:
1. External Network Penetration Test
An external network penetration test is typically what most people think of when talking about pen testing.
An ‘external’ pen test involves an ethical hacker trying to break into an organisation’s network – across the Internet. This means it’s done off-site (remotely, as a hacker would be), using controlled and agreed ethical hacking techniques to accurately simulate a targeted attack from malicious parties on your network.
Benefits of a Network Pen Test
An external pen test probes your perimeter defences, providing an effective test of how your externally-facing network infrastructure responds to threats, and where potential weaknesses and vulnerabilities lie.
Network devices, servers and software packages represent a constant challenge to secure, and a frequent opportunity for attack. Network penetration testing allows you to find your most exposed security vulnerabilities before they can be exploited.
As with all pen testing methodologies, a hacker will perform an intelligence-gathering phase from publicly available sources to identify opportunities and vulnerabilities to exploit. This would include using performing a vulnerability scan to identify potential weaknesses to exploit, e.g. misconfigurations, weak passwords, unpatched software, open ports etc.
2. Internal Network Penetration Test
An internal penetration test, by contrast, simulates either the actions a hacker might take once access has been gained to a network, or those of a malicious actor, or disgruntled employee with access that he or she is looking to escalate.
The end target is ultimately the same as an external penetration test (above), but the starting point assumes a degree of network access already.
Why Perform an Internal Pen Test?
An internal network pen test is typically performed from the perspective of both an authenticated and non-authenticated user to ensure that the network is critically assessed for both the potential exploit of a rogue internal user, and an unauthorised attack.
Naturally, with GDPR in mind, you will also be checking the potential for users to access and leak any confidential, sensitive or personally identifiable information (PII).
3. Web Application Penetration Test
The number of web apps and websites is growing rapidly, many providing easy access to sensitive user or financial data, making them a highly prized target for cybercriminals.
A web application penetration test, looks for any security issues that might have arisen as a result of insecure development, design or coding, to identify potential vulnerabilities in your websites and web applications, including CRM, extranets and internally developed programmes – which could lead to exposure of personal data, credit card information etc.
Increased Demand for Web Application Pen Testing
From web-based portals to online shopping and banking, today organisations are building their businesses directly online. As these systems grow increasingly powerful, they also scale in complexity, meaning the range of exploitable vulnerabilities is rising.
Internet-based web applications are in their nature, globally accessible and easily probed, or manipulated – from anywhere, at any time – creating some of the most pressing issues facing any organisation.
4. Social Engineering
Social engineering is commonly seen as the modern frontier in IT security – and certainly your greatest risk. Your users.
A social engineering pen test will help you assess and understand the susceptibility within your organisation to human manipulation via email, phone, media drops, physical access, social media mining etc.
What is Social Engineering?
Social engineering techniques are wide-ranging, from the very simple, to highly personalised, sophisticated attacks that can be almost impossible to detect – but all can have devastating effects.
By manipulating those closest to the target – your employees – these attackers use simple, but highly effective psychological tactics to lure your employees into granting privileged network access, or sending a sensitive file, or paying a supposedly urgent invoice.
Rather than finding exotic backdoor vulnerabilities and resorting to high-tech tools and strategies, social engineering attacks organisations through their own front door.
Benefits of a Social Engineering Pen Test
In practice, hackers (and ethical hackers) will often use social engineering tactics as a first step, to gain a foothold into the network, from which they can elevate user privileges – it is often easier to exploit users’ weaknesses than it is to find a network or software vulnerability.
Social engineering pen testing can reveal a lot about the cyber security awareness levels of your employees, and their level of compliance with existing security policies in place.
Which Type of Pen Test Is Right for Me?
So there it is: we’ve gone through the four main types of penetration tests – all providing a rigorous ‘real-world’ test of your existing security controls.
In practice, a pen tester might use a combination of several techniques; it’s very common for social engineering to feature in each type of test we’ve outlined.
But importantly, an individual pen test should be tailored to meet your objectives – as there is no ‘one size fits all’ – following different strategies and methodologies to identify possible points of weaknesses and compromise.
Detailed Risk-Based Report
Once completed, you should expect an ‘easy to understand’ risk-based report, suitable for both technical & non-technical staff, with details of the steps taken pen tester to breach the network/defences – plus the necessary remediation or next steps.
Further Reading
- Questions to ask your pen test provider
- On-demand webinar: How to develop security vulnerability management programmes
- 6 steps to a successful cyber security improvement programme
- The difference between a Vulnerability Scan and a Penetration test
- Pros and cons of outsourcing your Cyber Security – In-house, MSSP, or Virtual SOC?