pen testing (penetration testing)

What is a pen test?

A penetration test, also called a pen test or ethical hacking, is a cybersecurity technique organizations use to identify, test and highlight vulnerabilities in their security posture. These penetration tests are often carried out by ethical hackers. These in-house employees or third parties mimic the strategies and actions of an attacker in order to evaluate the hackability of an organization's computer systems, network or web applications. Organizations can also use pen testing to test their adherence to compliance regulations.

Ethical hackers are information technology (IT) experts who use hacking methods to help companies identify possible entry points into their infrastructure. By using different methodologies, tools and approaches, companies can perform simulated cyber attacks to test the strengths and weaknesses of their existing security systems. Penetration, in this case, refers to the degree to which a hypothetical threat actor, or hacker, can penetrate an organization's cybersecurity measures and protocols.

There are three main pen testing strategies, each offering pen testers a certain level of information they need to carry out their attack. For example, white box testing provides the tester all of the details about an organization's system or target network; black box testing provides the tester no knowledge of the system; and gray box penetration testing provides the tester partial knowledge of the system.

Pen testing is considered a proactive cybersecurity measure because it involves consistent, self-initiated improvements based on the reports generated by the test. This differs from nonproactive approaches, which lack the foresight to improve upon weaknesses as they arise. A nonproactive approach to cybersecurity, for example, would involve a company updating its firewall after a data breach occurs. The goal of proactive measures, like pen testing, is to minimize the number of retroactive upgrades and maximize an organization's security.

What is the difference between pen testing and vulnerability assessment?

Pen tests are not the same as vulnerability assessments, which provide a prioritized list of security weaknesses and how to amend them, but they are often performed together. Pen testing is often conducted with a particular goal in mind. These goals typically fall under one of the following three objectives:

  1. identify hackable systems
  2. attempt to hack a specific system
  3. carry out a data breach

Each objective focuses on specific outcomes that IT leaders are trying to avoid. For example, if the goal of a pen test is to see how easily a hacker could breach the company database, the ethical hackers would be instructed to try and carry out a data breach. The results of a pen test will not only communicate the strength of an organization's current cybersecurity protocols, but they will also present the available hacking methods that can be used to penetrate the organization's systems.

Why is pen testing important?

The rate of distributed denial-of-service, phishing and ransomware attacks is dramatically increasing, putting all internet-based companies at risk. Considering how reliant businesses are on technology, the consequences of a successful cyber attack have never been greater. A ransomware attack, for instance, could block a company from accessing the data, devices, networks and servers it relies on to conduct business. Such an attack could result in millions of dollars of lost revenue. Pen testing uses the hacker perspective to identify and mitigate cybersecurity risks before they are exploited. This helps IT leaders implement informed security upgrades that minimize the possibility of successful attacks.

Technological innovation is one of, if not the greatest, challenge facing cybersecurity. As tech continues to evolve, so do the methods cybercriminals use. In order for companies to successfully protect themselves and their assets from these attacks, they need to be able to update their security measures at the same rate. The caveat, however, is that it is often difficult to know which methods are being used and how they might be used in an attack. But, by using skilled ethical hackers, organizations can quickly and effectively identify, update and replace the parts of their system that are particularly susceptible to modern hacking techniques.

penetration testing can be broken into six steps
Pen testing at a glance

How to do penetration testing

Pen testing is unique from other cybersecurity evaluation methods, as it can be adapted to any industry or organization. Depending on an organization's infrastructure and operations, it may want to use a certain set of hacking techniques or tools. These techniques and their methodologies can also vary based on the IT personnel and their company standards. Using the following adaptable six-step process, pen testing creates a set of results that can help organizations proactively update their security protocols:

  1. Preparation. Depending on the needs of the organization, this step can either be a simple or elaborate procedure. If the organization has not decided which vulnerabilities it wants to evaluate, a significant amount of time and resources should be devoted to combing the system for possible entry points. In-depth processes like this are usually only necessary for businesses that have not already conducted a complete audit of their systems. Once a vulnerability assessment has been conducted, however, this step becomes much easier.
  2. Construct an attack plan. Prior to hiring ethical attackers, an IT department designs a cyber attack, or list of cyber attacks, that its team should use to perform the pen test. During this step, it is also important to define what level of system access the pen tester has.
  3. Select a team. The success of a pen test depends on the quality of the testers. This step is often used to appoint the ethical hackers that are best suited to perform the test. Decisions like these can be made based on employee specialties. If a company wants to test its cloud security, a cloud expert may be the best person to properly evaluate its cybersecurity. Companies also often hire expert consultants and certified cybersecurity experts to carry out pen testing.
  4. Determine the stolen data type. What is the team of ethical hackers stealing? The data type chosen in this step can have a profound impact on the tools, strategies and techniques used to acquire it.
  5. Perform the test. This is one of the most complicated and nuanced parts of the testing process, as there are many automated software programs and techniques testers can use, including Kali Linux, Nmap, Metasploit and Wireshark.
  6. Integrate the report results. Reporting is the most important step of the process. The results must be detailed so the organization can incorporate the findings.

Learn more about the massive SolarWinds hack and how it affects chief information security officers' agendas.

This was last updated in May 2021

Continue Reading About pen testing (penetration testing)

Dig Deeper on Risk management