What is Penetration Testing?
A penetration test, colloquially known as a pen test, pen test or ethical hacking, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system. Not to be confused with a vulnerability assessment. The test is performed to identify both weaknesses (also referred to as vulnerabilities), including the potential for unauthorized parties to gain access to the system’s features and data, as well as strengths, enabling a full risk assessment to be completed.
The process typically identifies the target systems and a particular goal, then reviews available information and undertakes various means to attain that goal. A penetration test target may be a white box (which provides background and system information) or black box (which provides only basic or no information except the company name). A grey box penetration test is a combination of the two (where limited knowledge of the target is shared with the auditor). A penetration test can help determine whether a system is vulnerable to attack if the defences were sufficient, and which defences (if any) the test defeated.
Security issues that the penetration test uncovers should be reported to the system owner. Penetration test reports may also assess potential impacts to the organization and suggest countermeasures to reduce risk.
The National Cyber Security Center describes penetration testing as the following: “A method for gaining assurance in the security of an IT system by attempting to breach some or all of that system’s security, using the same tools and techniques as an adversary might.”
The goals of a penetration test vary depending on the type of approved activity for any given engagement with the primary goal focused on finding vulnerabilities that could be exploited by a nefarious actor and informing the client of those vulnerabilities along with recommended mitigation strategies.
Penetration tests are a component of a full security audit. For example, the Payment Card Industry Data Security Standard requires penetration testing on a regular schedule, and after system changes.
Several standard frameworks and methodologies exist for conducting penetration tests. These include the Open Source Security Testing Methodology Manual (OSSTMM), the Penetration Testing Execution Standard (PTES), the NIST Special Publication 800-115, the Information System Security Assessment Framework (ISSAF) and the OWASP Testing Guide.
What We Do?
We identify security vulnerabilities before attackers do. We prioritise remediation by understanding how your applications, systems and people respond to real world attack scenarios. Wherever your data assets are, they need constant protection from an ever-changing threat landscape.
We apply proven, consistent methods that build on industry standards such as the Open Source Security Testing Methodology Manual (OSSTM), and the Open Web Application Security Project (OWASP)
All our testing services are available as a one-off engagement, or as an ongoing managed testing contract for continued assurance.
Different types of penetration testing
Don’t know where to start?
Start with an email, why not drop us a line and we will contact you to discuss your investigation.
How to contact us
Email: info@digital-forensics.co.uk
Tel: +44(0)1634 672677