What is penetration testing? | Process and methods
Penetration testing definition
Penetration testing (also known as ‘pen testing’ or ‘ethical hacking’) is the systematic process of identifying and probing vulnerabilities in your networks and software. It can also examine physical security measures or identify security weaknesses in people (social testing).
Penetration testing is essentially a controlled form of hacking. The ‘attackers’ act on your behalf to find and test weaknesses that criminals could exploit. These might include:
- Inadequate or improper configuration
- Hardware or software flaws
- Operational weaknesses in processes or technical countermeasures
- Employees’ susceptibility to phishing and other social engineering attacks
Experienced penetration testers mimic the techniques used by criminals to probe these vulnerabilities – individually or in combinations – without causing damage. This enables you to address the security flaws that might leave your organization vulnerable.
Find out about our penetration testing services
Why is penetration testing important?
New cybersecurity vulnerabilities are identified – and exploited by criminals – every day.
Identifying and fixing them is essential to your organization’s security posture.
Only a penetration test carried out by a trained security professional can give you a proper understanding of the security issues you face.
To protect yourself, you should regularly conduct penetration tests to:
- Identify security flaws so that you can resolve them or implement appropriate controls
- Ensure your existing security controls are effective
- Test new software and systems for bugs
- Discover new bugs in existing software
- Support your organization’s compliance with relevant privacy laws and regulations
- Enable your conformance to standards such as the PCI DSS (Payment Card Industry Data Security Standard)
- Assure customers and other stakeholders that their data is being protected
Free download: Assured Security – Getting cyber secure with penetration testing
For your cybersecurity to be effective, you must implement the right solutions to protect your assets from cyber threats. This means understanding where your organization is most vulnerable.
This free paper will teach you how to keep your organization’s information and systems secure with effective penetration testing.
Download now
Types of penetration testing
Different types of penetration testing will focus on various aspects of your organization’s logical perimeter. This boundary separates your network from the Internet.
Web application (software) and API penetration tests
Web application and API tests focus on vulnerabilities such as coding errors or software responding to certain requests in unintended ways.
These include:
- Testing user authentication to verify that accounts cannot compromise data
- Assessing the web applications for flaws and vulnerabilities, such as XSS (cross-site scripting) or SQL injection
- Confirming the secure configuration of web browsers and identifying features that can cause vulnerabilities
- Safeguarding database server and web server security
Learn more about web application penetration testing
Learn more about API penetration testing
External infrastructure (network) penetration tests
External infrastructure penetration tests identify and test security vulnerabilities that might allow attackers to gain access from outside the network. An external test will generally:
- Identify vulnerabilities in the defined external infrastructure, such as file and web servers
- Check authentication processes to ensure there are appropriate mechanisms to confirm users’ identities
- Verify that data is being securely transferred
- Check for misconfigurations that could allow information to be leaked
Learn more about external network penetration testing
Phishing penetration tests
As technical security measures improve, criminals increasingly use social engineering attacks such as phishing, pharming, and BEC (business email compromise) to access target systems.
So, just as you should test your organization’s technological vulnerabilities, you should also test your staff’s susceptibility to phishing and other social engineering attacks.
Learn more about simulated phishing attacks
Wireless network penetration tests
If you use wireless technology, such as Wi-Fi, you should also consider wireless network penetration tests.
These include:
- Identifying Wi-Fi networks, including wireless fingerprinting, information leakage, and signal leakage
- Determining encryption weaknesses, such as encryption cracking, wireless sniffing, and session hijacking
- Identifying opportunities to penetrate a network by using wireless or evading WLAN access control measures
- Identifying legitimate users’ identities and credentials to access otherwise private networks and services
Learn more about wireless network penetration testing
Speak to an expert
For more information on how our CREST-accredited penetration testing services can help safeguard your organization, call us now on
+1 877 317 3454 or request a call back using the form below.
Get in touch
IT Governance’s penetration testing solutions
Our CREST-accredited penetration testing services have been developed to align with your business requirements, budget, and value you assign to the assets you intend to test.
Our proprietary security testing methodology is closely aligned with the SANS, OSSTMM (Open Source Security Testing Methodology Manual), and OWASP (Open Web Application Security Project) methodologies.
Level 1 penetration tests are suitable for organizations that want to identify the common exploitable weaknesses targeted by opportunistic attackers using freely available, automated attack tools. They are an off-the-shelf option with fixed constraints and are priced by scale, according to factors such as the number of IP addresses in scope.
Level 2 penetration tests are aimed at those with more complex objectives or who require a more detailed exploration of complex or sensitive environments. They are designed according to clients’ individual needs following scoping.
Read more about our penetration testing services here. Follow the links below or contact us today to discuss your penetration testing needs.
Speak to an expert
For more information and guidance on penetration testing or packages IT Governance offers, please contact our experts who will be able to discuss your organizations needs further.