As computer networks become more complex, they become more vulnerable to hackers. These weak points can take the form of hardware, operating system bugs, software and users who don’t adhere to security policies. One of the best ways to uncover them is to get a hacker to break in.
What is Penetration Testing?
It’s essentially a legal form of hacking carried out as a test of the target organization’s defenses. The target company either has their IT staff try to break into the system or hires an outside security firm that specializes in this form of attack. While the attacker may be just one person or an entire team, for ease of reading let’s stick to referring to them as a single individual.
The main goal of the test is to see if a hacker can get in, and if they can how far into the system they can get. The testing process itself is either done manually or by using automated software. Penetration testing generally breaks down into several categories, depending on the conditions of the test being performed.
Types of Penetration Testing
White box testing gives the hacker access to information about the internal details of the network. The goal is to provide them with as much information as possible so they can base their test around knowledge of the network’s strengths and weaknesses. This approach minimizes testing time and provides a deeper, more comprehensive test. The drawback is it doesn’t mimic the (lack of) information a real hacker would have.
Black box testing is the closest to a typical hack. The attacker receives no information about the network and must figure it out and gain access on their own. The drawback here is testing times are more unpredictable, and some parts of the network may not get thoroughly tested.
Gray box falls between these two extremes, with the attacker getting certain information such as they might receive by breaking into a normal user’s account.
Penetration testers can also run scenarios based on whether or not someone on the opposing team is aware of the attack and can take steps to thwart the intrusion.
Once the test is complete, the attacker compiles a complete report, including all the steps they took and vulnerabilities they noticed. Companies can then assess these vulnerabilities and prioritize getting them fixed.
Is Penetration Testing for Me?
If your business network is connected to the Internet, odds are hackers have at the very least made attempts to get in. There are crawler applications out there that allow hackers to systematically find vulnerable networks. Some company servers receive thousands of attacks an hour.
Some industries have regulations that require penetration testing on a regular schedule for security purposes. Other do them sporadically when requested. The most unfortunate ones do them after they’ve been attacked and had their systems compromised and they’re facing a PR nightmare. You don’t want your business in the last group.