A PEN or Penetration test is an ethical hack designed to check any vulnerabilities within your systems that a cyber criminal could exploit. There are 5 stages in an effective PEN test, these are:
- Planning- The first stage defines the scope and goals of the test as well as gathering intel on systems already in place to find possible weaknesses before the test begins.
- Scanning- This involves inspecting the code of systems to guess how the targeted applications will respond to the attack.
- Gaining Access- Using web applications such as Cross-site scripting, SQL Injection and Backdoors to uncover vulnerabilities and exploit them to gain system access.
- Maintaining Access- This step shows if the vulnerability can be used to gain in persistence presence in the exploited systems to gain in depth access to data.
- Analysis- Results of the test are shared with the company detailing specific vulnerabilities, the data accessed, time the tests was able to stay in the system to help plan security updates in order to be better prepared for a cyber attack.
Although the steps taken in penetration testing is the same every time there are multiple different methods to show vulnerabilities across multiple applications including:
- External Attack- This involves attacking the visible company assets online such as web applications, company websites, emails and domain name servers.
- Internal Attack- An internal test simulates a attack from a malicious insider with access behind the firewall, this doesn't necessarily mean a rouge employee, the most common scenario is a phishing attack stealing an employees credentials.
- Blind Attack- In a blind test the tester is only given the company name which gives a real-time look into how an actual cyber attack would take place.
- Double-Blind Attack- As well as the tester knowing nothing but the company name, the security personnel of the company have no prior knowledge of the test meaning they have no time to set up additional defences.
- Targeted Attack- With a targeted attack both the tester and the security personnel work together providing the security team with real-time feedback.
Why is PEN testing vital to any business?
One major advantage of a penetration test is it ensures that compliances that your business must be following are met for example if your business take card payments you must follow PCI-DSS regulations, a pen test will show if these regulations are being achieved. It also gives a better insight into how long it would take for a hacker to gain access to your systems and how long they can stay inside undetected. If your company is planning on putting new tech in place or configuring systems a PEN test is a great way to test whether the systems have been set up correctly with limited vulnerabilities. It is also a great way to provide security training for network staff.
How often should you be performing PEN tests?
Like all IT security precautions, penetration testing is something that needs to be conducted on a regular basis. Pen testing should be performed at least once a year to ensure your business is always protected. If your organisation is setting up new locations or networks a PEN test will show if these have been set up correctly and have security measures in place, this is the same when adding network infrastructure or applications. Another good time to implement penetration tests is when security patches have been installed to test the effectiveness of the patch.
For more information on Penetration testing and how it can help your business or to book in your test today call us on 01642 248 750 and take your cyber security to the next level.