Penetration tests (a.k.a. pen tests) are point-in-time cyber risk assessments. They allow IT and security professionals to assess the adequacy of security controls, including intrusion detection and response systems, and identify weaknesses that need attention.
Pen tests simulate real-world attacks in a controlled setting in order to uncover vulnerabilities in a manner that won’t actually harm your network or expose data. These vulnerabilities could arise from a number of different sources, including unpatched software, coding errors, and weak or default passwords. All this and more can be uncovered during pen testing.
Put another way, a pen test is ethical hacking designed to improve protection against attacks.
What are the types of penetration testing, how do they work, and which is right for your business?
The objective of a pen test is to:
- Identify potential breach sites and vulnerabilities through footprint analysis
- Simulate cyber attacks by penetrating vulnerable systems, applications, and services using both manual and automated tools
- Gain access to sensitive data and/or systems
Determine what kind of pen test you need
Tests can be tailored for a variety of products, needs, and situations. Before choosing a vendor, determine which approach will be most effective for you. Most vendors will also provide prospective clients with a questionnaire to see which test meets their specific needs.
[Learn how security ratings can help benchmark your security performance against industry peers.]
- Black box tests are performed with no prior knowledge of the tested network ecosystem. A black box test is an objective assessment of security as seen from outside the network by third parties. It’s a test of software security operations, versus a white box test (which is structural).
Examples of black box testing include functional testing, non-functional testing, and regression testing. However, a standard black box test likely wouldn’t involve a tactic like a denial-of-service (DoS) attack, which could cause severe damage to the network.
- White box tests are performed with full knowledge of the internal design and structure of the tested ecosystem.
White box testing is used to logic test software for gaps in code and security, instead of behavior testing against malicious outside agents. Path testing, loop testing, and condition testing are all white box.
- Grey box tests combine aspects of white and black box testing into one. For this variety of test, experts will assess the level of software security seen by a legitimate user with an account.
These tests give access to the software or product, along with general information about the internal ecosystem. They combine operational testing from a third party perspective with a more advanced internal understanding of the software.
Selecting the right approach to testing is essential for success. A white box test may uncover where a developer accidentally left credentials in the software code, but be wholly inadequate to uncover vulnerabilities in open ports or third-party integrations.
Common types of penetration test
- External network pen test — A black box test designed to use footprint analysis to identify publicly available information about the network and organization, including IP addresses, ranges, and key personal information (email addresses, passwords, etc.) Using this information, an expert will locate potential vulnerabilities.
- Internal network pen test — A white or grey box test designed to simulate what could happen if a user’s account is compromised.
Pen tests can be tailored to search for vulnerabilities in web apps, mobile devices, and wireless networks.
Supplementing point-in-time testing
Pen tests give you a snapshot of your security posture at a certain point in time. Between tests, the landscape can change significantly. New tools and tactics are always in development. How do you stay vigilant enough to prevent breaches, or know when you’ve been breached?
Security performance management can help bolster your defenses in between pen tests. This software combs through a wealth of globally available data to find evidence of breaches, threats, and more.
Security performance management software requires a lot of data to get a holistic picture of your cybersecurity. The more data the provider can access, the better. Bitsight has access to the largest silo of data on the market.
In addition, Bitsight uses security ratings to help create advanced security benchmarking, which can be used to compare your current security standing against industry peers and historical performance. Bitsight security ratings are unique in how they correlate to performance — companies with a security rating of 500 or lower are nearly five times more likely to have a breach than those with a rating of 700 or higher.