What is a Penetration Test?

Alex Archondakis

Managing Consultant

What is a Penetration Test?

Penetration Testing

Penetration Testing is a crucial step in a company’s overall security posture. A Penetration Test takes an offensive approach to security by mimicking techniques and methodologies that would be used by a real-life malicious attacker. It is often required to satisfy insurance and policy requirements. The test takes a simulated approach to finding vulnerabilities, weaknesses and misconfigurations in Network, Web Application, Mobile and Physical security. The purpose of the test is to identify any vulnerabilities before an attacker does.

Penetration testing is not the only step in a strong security posture, but it should be used regularly alongside defensive and management strategies.

Penetration testers need to know every way an attacker can get into a network, an attacker just needs to get lucky with one.

Consultant led Penetration Testing should take place every six months to ensure that all of your applications and infrastructure are in good shape and do not present any vulnerabilities or security misconfigurations. It is also recommended that monthly vulnerability scans are conducted during this time to pick up any obvious changes or vulnerabilities. This may be that a bit of software in use on an application or server has had a vulnerability published that allows remote code execution. Vulnerability scans should not be thought of as a Penetration test or used in place of Penetration testing, as automated scanners are not typically intuitive and struggle to test for vulnerabilities in business logic.

Finally, monitoring software should be used to identify any threats in real time. This is known as PTaaS (Penetration Testing as as service) and ensures that your organisations applications and/or infrastructure are constantly assessed.

Web Application Penetration Testing

Web Applications that are exposed to the internet are used by Businesses and Organisations all over the world. Web sites used to be very simple as their only purpose was to retrieve and display static text and pictures, however, as technology has become more advanced Web sites have turned into Web Applications with dynamic functionality and session management. In recent years there have been a lot of publicised vulnerabilities, from cross-site request forgery to card skimming.

What are the benefits of Web Application Penetration Testing?

  • To identify and help remediate security vulnerabilities
  • Improving the overall security posture, reducing your overall threat landscape
  • Many regulatory bodies require Penetration Testing

Infrastructure Penetration Testing

A company’s infrastructure, external or internal defines a group of computers that store sensitive data about employees, clients and often host business critical software. If this information is stolen and released it can result in serious loss of reputation, fines and potentially criminal charges.

What are the benefits of Infrastructure Penetration Testing?

  • To assess the infrastructure for security vulnerabilities that allow attackers to obtain sensitive information or compromise entire systems
  • Improving the overall security posture, reducing your overall threat landscape
  • Many regulatory bodies require Penetration testing

Social Engineering

Social engineering is used to assess the human element in your company’s infrastructure. This can range from physical intrusion to phishing campaigns and is often used to test how well awareness training is received by employees. The human element is often, and incorrectly, overlooked as this is where the majority of successful attacks take place. According to U.S. Chamber of Commerce’s Cybersecurity Summit – Sophisticated emails facilitate 90% of successful cyber attacks.

What are the benefits of Social Engineering?

  • Testing the effectiveness of your awareness training
  • Ensuring that any vulnerabilities in your human infrastructure are resolved

Video/Audio Transcript