What is penetration testing?
Penetration testing, also known as pen testing, pentesting or ethical hacking, is an authorized benign attack against a computer system or network that helps to uncover vulnerabilities that might be exploited by hackers in real-world attacks. Pen testing can be used on all or different parts of your network, like application protocol interfaces (APIs), frontend/backend servers, etc.. It can be used to test your web application firewall (WAF) – practically anything that can be hacked.
Why is penetration testing so important?
Many big and small enterprises use network penetration testing to identify unknown security issues and defensive strengths. It’s an essential part of any comprehensive risk assessment. The information gathered from these attacks is used to patch security loopholes and to improve overall network security before any bad actors take advantage of them.
In addition to improving their security, some companies use pen testing as part of their security audits. Some security standards can only be given to companies if a certified penetration test was done.
Who performs penetration testing?
Pen testing is usually undertaken by external companies that offer penetration test services. Outsiders with little to no knowledge about the target are more likely to spot vulnerabilities compared to developers who created the website or app.
The contractors are usually referred to as “ethical hackers.” Most of them are experienced cybersecurity professionals who specialize in pen testing and have degrees in this field. However, some are self-taught and might even be reformed criminal hackers who have decided to use their skills for good. You can read more about different types of hackers in this post.
Types of penetration testing
There are different types of pen testing techniques, and they are used to achieve different goals.
- White box testing. Before such a test, the pen tester is provided with detailed information about their target. This information may include IP addresses, network infrastructure schematics, the protocols used, and the source code.
- External or black-box testing. This type of testing targets the company’s assets that are only visible externally. An example of such test could be website penetration testing, or it could target the web application itself, email and DNS servers, etc. During such an attack, the tester is also not allowed into the building where he could get access to the company’s servers or employees’ computers. They need to perform the attack from a remote location or nearby buildings.
- Internal testing looks for vulnerabilities behind the firewall; in other words, what a hacker could exploit once they are inside the system. That doesn’t always mean they’re testing what a malicious employee could do. A hacker could use a social engineering technique like a phishing link to gain insider access.
- During Blind testing, the hacker is given limited information about the company, usually only its name. This helps to see how the attack would happen in a real-world situation.
- Double-blind testing. During this attack, the security personnel who will be responding to the attack aren’t notified about it so they cannot prepare for or stop the attack any sooner than they would in a real-world scenario. This is particularly useful for testing a company’s security monitoring, incident identification, and response procedures.
- During Targeted testing, the penetration tester and the security team communicate with each other at every single step of the attack. The “attacker” gives the security professionals their feedback, which works as a great defense training exercise.
How is penetration testing done?
- Planning and reconnaissance. During this stage, the ethical hacker and the company decide on the scope, the goals, the methods, and the systems that will be tested. The pentester gathers more information about the network and identifies potential vulnerabilities.
- Scanning During the scanning stage, the pen tester identifies how the target network or application currently responds to intrusion attempts. This is usually done by using static analysis, which scans the code of the application and identifies how it behaves while running and dynamic analysis, which also checks the code but does so in a running state. This provides real-time data on application performance.
- Gaining access. Now the tester has enough information to try to exploit these vulnerabilities. Their goal is usually to get into the system and steal some sensitive data, disrupt the service, or get admin access and escalated privileges. They can achieve so by using any attack at their disposal, like cross-site scripting, SQL injection, brute-force attacks, social engineering attacks, etc.
- Maintaining access. Once the hacker is in the system, their job is now to stay there for as long as they can or to extract the most sensitive data they can find. During this stage, the pen tester tries to imitate attacks during which a hacker stays in the system for months unnoticed. As part of this attack, the hacker could also cover their tracks to stay as anonymous as possible, which includes clearing any data gathered, logs, etc.
- Analysis. The last step is to compile all this information – the vulnerabilities, how they were exploited, and how long the hacker stayed in the system – and present them all in a report. Security professionals then analyze these, and the appropriate actions are then taken by the company to patch the new vulnerabilities and improve security controls. The upgrades can include new WAF rules, DDoS mitigation, tighter validations, or new staff training on how to recognize phishing attacks.
Pen testing NordVPN
In effort to ensure the highest level of security, NordVPN has partnered with VerSprite, a global leader in cybersecurity consulting and advisory services. VerSprite will be performing a comprehensive penetration test, examining our intrusion handling, and providing us with vendor risk assessment. Please stay tuned for the full report.
Want to read more like this?
Get the latest news and tips from NordVPN