What are the Goals of Penetration Testing?
The goal of a penetration test is to identify vulnerabilities that could be exploited by a malicious attacker, and to determine the level of risk posed by these vulnerabilities.
Penetration testing is a crucial component of an overall security program and is often used to complement other security measures such as firewalls and intrusion detection systems.
How is Penetration Testing Performed?
Penetration testing can be performed in a variety of ways, including manual testing, automated testing, and hybrid testing. Manual testing involves a human tester using manual methods to try and penetrate a system, while automated testing uses software tools to perform the testing.
Hybrid testing combines the strengths of both manual and automated testing, leveraging the knowledge and expertise of human testers with the speed and efficiency of automated tools.
We have a regular partner organisation for cyber security audits and assessments. They are specialists in the field, with staff who have backgrounds in matters of national security. They can provide third-party assurance of the security of work undertaken by anyone. In fact, we use them to advise on, and test, our own information security measures.
Types of Penetration Test
White Box
Penetration testing based on being given network access and account details. This is for assessing the ‘insider threat’ of a current or ex-employee.
Grey Box
As per white box, but without usernames and passwords supplied. Perhaps an attacker has specific knowledge of the business but not full details.
Black Box
Starting from just a web address, the test starts with no prior knowledge. Everything discovered in the testing is learned from scratch, as per an assailant who doesn’t know you.
The Process
All systems and devices in scope for the test will be systematically assessed using multiple methods and toolsets.
The testing is methodical, exploring all possible avenues. Once a potential inroad is found, it will be pursued as far as possible.
At the end of the test, the usable exploits will be provided as a document with suggested mitigations to avoid a genuine attack.
The results of a penetration test can be used to prioritize and prioritize the remediation of vulnerabilities, as well as to demonstrate the effectiveness of existing security controls. Penetration testing can also be used to validate the effectiveness of security improvements, such as software patches and configuration changes.
Overall, penetration testing helps organizations to understand the security posture of their systems and to make informed decisions about how to improve the security of their networks and systems.