A pen testing, colloquially called a black hat technique, ethical hacking or pentest, is an unauthorized simulated cyber attack on a specific computer network, carried out to evaluate the level of security of that system. Not to be mistaken with a vulnerability scan. The purpose of this type of testing is to find out the presence and/or severity of a security vulnerability (usually of some type) in a computer program without actually making use of that program.

Penetration testing is sometimes also referred to as modem testing or faxing over a network. These tests simulate network attacks, typically for the purpose of assessing the security measures adopted by a network administrator. The objectives of such tests are usually to discover whether an intrusion detection system (IDS) process is working correctly. Of course, no self-respecting hacker would ever submit to such a test!

Pen Testing is typically conducted for a variety of reasons. One could be to gain insight into the way a particular company’s network is configured and operated, or a security weakness to allow an authorized user to gain access to sensitive information. Sometimespen testing is used to find security weaknesses in organizations’ ID management processes. Sometimes pen testing is utilized to determine the presence of security weaknesses in an unpatched application, so that organizations can patch them before they become exploited.

Pen Testing

The goal of penetration testing is not to compromise any data on the targeted organization’s system. Pen testers must demonstrate that the vulnerability is not present or not expected to be discovered until after an attacker has used the attack to achieve successful results. The purpose of penetration testing is to provide IT professionals with critical insight into a previously protected system’s operations. Only when this information is acquired can an administrator make the appropriate adjustments to the system to stop the attack and prevent further damage. Pen testers are usually only given permission by the organization to perform penetration testing. Once a vulnerability is found, the tester is responsible for reporting the discovery, identifying the actual vulnerability, and crafting a patch to address the flaw.

Many organizations choose penetration testing over more traditional vulnerability scanning or vulnerability management because penetration testing identifies vulnerabilities that an administrator might never see. By focusing their resources on typically unknown threats, IT professionals can detect and fix vulnerabilities before they are exploited. A skilled pen tester can also determine if a vulnerability is of interest to the organization and what action should be taken to resolve it. A well executed penetration test can reduce the time it takes IT staff to detect and resolve a vulnerability and significantly increase the organization’s downtime. A pen-testing team will typically include a scanning tool that not only detects vulnerabilities but also differentiates them based on their level of risk, and performs a free vulnerability assessment to help determine how to prioritize the remediation effort.

Penetration testing is divided into two categories: “white-box” and black-box. “White-box” testing is standard on many software development environments (please consult your directory). Black-box testing, on the other hand, is not common and frequently reserved for computer and networking companies. In a black box test, a trained hacker independently penetrates the system and creates data packets to determine the open, hidden, and working vulnerabilities. Once data packets have been created, the penetration tester then searches the Internet for any vulnerability that matches the original vulnerability description. The primary goal of a “black box” scan is to search for vulnerabilities that can cause immediate damage; however, the scan may also verify a suspicion that is not based on solid evidence.

Tags: pen testing, flaw hypothesis methodology, kali, web application, services