Penetrating Test

A penetration test is an authorized simulated attack performed on a computer system to evaluate its security. Our Security Experts use the same tools, techniques, and processes as attackers to find and demonstrate the business impacts of weaknesses in your systems.

Penetration tests usually simulate a variety of different attacks that could threaten your business. A pen test might examine whether a system is robust enough to resist attacks from authenticated and unauthenticated positions, as well as a range of system roles. With the right scope, a pen test can dive into any aspect of a system that you need to assess.

External Penetration Test

An external network penetration test is designed to test the effectiveness of perimeter security controls to prevent and detect attacks as well as identifying weaknesses in internet-facing assets such as web, mail and FTP servers.

Benefits of Penetration Test

A penetrating test provides insight into how well you’ve achieved that aim. Penetration testing supports the following security activities:

  • Finding weaknesses in systems

  • Determining the robustness of controls

  • Supporting compliance with data privacy and security regulations (e.g., PCI DSS, HIPAA, GDPR)

  • Providing qualitative and quantitative examples of current security posture and budget priorities for management.

Types of Penetrating Testing

Depending on the goals of a penetration test, the organization provides the testers varying degrees of information about, or access to, the target system. In some cases, the pen testing team sets one approach at the start and sticks with it. Other times, the testing team evolves their strategy as their awareness of the system increases during the pen test. Usually there are three types of penetration tests:

  • Black Box: The team doesn’t know anything about the internal structure of the target system. They act as hackers would, probing for any externally exploitable weaknesses.

  • Grey Box. The team has some knowledge of one or more sets of credentials. They also know about the target’s internal data structures, code, and algorithms. Pen testers might construct test cases based on detailed design documents, such as architectural diagrams of the target system.

  • White Box. For white box testing, pen testers have access to systems and system artefacts: source code, binaries, containers, and sometimes even the servers running the system. White box approaches provide the highest level of assurance in the least amount of time.

Phases of Penetration Test

Pen testers aim to simulate attacks carried out by motivated adversaries. To do so, they typically follow a plan that includes the following steps:

  • Reconnaissance. Gather as much information about the target as possible from public and private sources to inform the attack strategy. Sources include internet searches, domain registration information retrieval, social engineering, nonintrusive network scanning, and sometimes even dumpster diving. This information helps the pen tester map out the target’s attack surface and possible vulnerabilities. Reconnaissance can vary with the scope and objectives of the pen test, and might be as simple as making a phone call to walk through the functionality of a system.

  • Scanning. The pen tester uses tools to examine the target website or system for weaknesses, including open services, application security issues, and open source vulnerabilities. Pen testers use a variety of tools based on what they find during reconnaissance and during the test.

  • Gaining access. Attacker motivations vary from stealing, changing, or deleting data to moving funds to simply damaging your reputation. To perform each test case, pen testers must decide on the best tools and techniques to gain access to your system, whether through a weakness, such asSQL injection, or through malware, social engineering, or something else.

  • Maintaining access. Once pen testers gain access to the target, their simulated attack must stay connected long enough to accomplish their goals: exfiltrating data, modifying it, or abusing functionality. It’s about demonstrating the potential impact.