What is penetration testing?

Penetration testing is  an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system. It verifies the extent to which a system, device or process resists active attempts to compromise its security.

Before delving deeper into the definition, let’s borrow an example from a parallel world. One of the common practices in the military is called a military exercise or war games. A military exercise or war game is the employment of military resources in training for military operations. It serves the purpose of ensuring the combat readiness of the deployable forces prior to deployment from a home base. It focuses on the simulation of real, full-scale military operations in controlled hostile conditions in attempts to reproduce war time decisions and activities for training purposes or to analyze the outcome of possible war time decisions.

Like a war game, one of the core properties of penetration testing is simulation. The core purpose of penetration testing is to generate knowledge. What kind of knowledge does a penetration test generate ? It generates information about the weak links in an organization’s cyber security defenses.

Think of penetration testing as a cyber attack simulation by a trusted security expert with the intention to discover weak areas in the system.

The results of penetration testing gives an indication about the robustness of the system. It helps to preempt the holes in the system that an intruder with malicious intent can look to exploit.

To summarize, the following properties define a penetration test:

  1. Authorization: It is an authorized cyberattack.
  2. Trusted insider: The test is carried out by a trusted expert from within the organization.
  3. Simulation: It is an act of imitation of a potential exploitation of security loopholes.
  4. Evaluation: The exercise evaluates overall security of the system.

Colloquially, the penetration testing is also known as a pen test or ethical hacking,

Properties of penetration testing

What is the primary purpose of penetration testing?

Penetration tests play an important role in strengthening cyber resilience of the organization.

What really is cyber resilience?

The abstract notion of resilience relates to one of the best qualities we associate with members of the human species— our ability to succeed in the face of adversity. But how exactly does it apply to cybersecurity?

The backdrop of thinking about cyber-resilience is this- our enterprise networks contain large amounts of insecure software (and hardware) and lots of imperfect human beings– entities that fail at a fairly high frequency from a security standpoint. The enterprise attack surface is vast, constantly growing and poorly understood, and the threat landscape is constantly evolving. The objective of security teams is to implement mitigations that give us a cyber-resilient enterprise on top of insecure components. In summary, cyber-resilience is the ability of an enterprise to limit the impact of security incidents.

And how does penetration tests help in building an organization’s cyber resilience?

Penetration testing can be seen as a useful periodic add-on that can test for weaknesses using the same techniques typically leveraged by attackers. It can involve the complex simulation of cyber attacks in an organization’s threat surface area e.g. attempting to breach different application systems, (e.g. via the frontend, or via the APIs) to detect security flaws. By creating the previously unknown knowledge about the vulnerabilities, it gives the organization an opportunity to patch the vulnerable software and to fix any misconfigurations.

Repeated pen tests should be planned only after you have done the basics. The basics of the vulnerability management process includes the following stages:

Discovery: Comprehensive and accurate asset inventory is a core capability that is required to discover all potential vulnerabilities.

Prioritization: With hundreds or thousands of vulnerabilities, it’s important to effectively prioritize remediation to ensure your security team isn’t racing to address issues that pose little or no real risk to your business-critical assets.

Response: After you’ve identified the vulnerabilities that exist across your systems, it’s important to evaluate the risks they pose and determine how to effectively manage them.

In absence of the basic vulnerability management process, the output of the pen test will just tell you something not quite favorable: your enterprise is wide open.

Due to the common perception that pen tests will disrupt the business and because of underlying cost considerations, the pen tests are often limited in scope.

Benefits of penetration testing

Benefits of a penetration testing

Penetration test phases:

  1. Before attack
    1. Reconnaissance: The act of gathering important information on a target system. This information can be used to better attack the target. This phase helps set the goals for the attack simulation.
  2. During attack
    1. Scanning: Uses tools to further the attacker’s knowledge of the system. This phase helps the attacker identify vulnerable parts of the system.
    2. Gaining access: Using the data gathered in the reconnaissance and scanning phases, the attacker can gain access and exploit the targeted system.
  3. After the attack
    1. Maintaining access: Maintaining access requires taking the steps involved in being able to be persistently within the target environment in order to gather as much data and cause as much damage as possible.
    2. Covering tracks: In the phase, the attacker clears any trace of compromising the victim system, any type of data gathered, log events, in order to remain anonymous.
    3. Preparing reports: The attacker leverages the vulnerability knowledge created in the previous steps to prepare recommendations on upgrading the defense mechanisms.

Penetration testing phases

Key quotes on penetration testing:

  1. “A good test case is a test case that has a high probability of detecting an undiscovered error, not a test case that shows that the program works correctly.” – Glenford Myers
  2. “Pen testing is an art and a science that must not only seek our weakness within a system, but must help to understand the sinister nature of hackers who, for example, see a SQL opportunity where the rest of us merely see a contact us form.” – Steve Prentice

Frequently Asked Questions

What is the difference between red teaming, blue teaming, purple teaming?

Cyber security is a team sport.
Red team vs. blue team exercises are an innovative security strategy that simulates real-life cyberattacks in order to locate weaknesses, improve information security, and maximize the effectiveness of defenses. This adversarial team effort provides a realistic assessment of the organization’s security posture by leveraging the expertise of specialized teams with specific goals, heightened risk awareness, sharpened skills, and a continuous improvement mindset.

Red teams are experts at attacking systems and breaking into defenses. Red teams are responsible for testing the effectiveness of security programs by emulating the tools and techniques of likely hackers. They represent offensive security professionals.

Blue teams are experts at maintaining internal network defenses against all cyber-attacks and threats. Blue teams are responsible for defending against both real attackers and red teams as they maintain a constant vigilance against attacks. They represent defensive security professionals.

Purple teams bring both red and blue teams together. They ensure that red and blue teams are sharing insights and creating a strong feedback loop that drives continuous improvement. They integrate defensive tactics and controls from the blue team with threats and vulnerabilities found by the red team into a single narrative that maximizes the overall effectiveness of both.

In an ideal world, purple isn’t a separate team at all, but rather a permanent dynamic between red and blue teams within the organization.

Know more about Red, Purple and Blue teams of cybersecurity

What are the key differences between vulnerability scanning and penetration testing?

Vulnerability scanning is often confused with penetration testing. In reality, these two techniques are quite different, and both are important for understanding and mitigating cyber risk and maintaining a strong security posture. Both are also often called out as requirements in major industry and geopolitical regulatory frameworks, including PCI, HIPAA, ISO 27001, and more.

Let’s look at few of the differences:

  • The scope of a vulnerability scan is typically all assets in an organization whereas a penetration test is very targeted, covering critical assets only.
  • Penetration testing requires highly skilled, security analysts, whereas vulnerability scanning can typically be conducted analysts trained in the use of the tool and in basic networking and security concepts
  • Both vulnerability scans and penetration tests are known to be intrusive and can cause outages and other issues on corporate networks.
  • Vulnerability scans have a low unit cost and can be conducted quite often, whereas penetration tests are costly and are typically conducted once per year, depending on the organization.
What is the difference between a penetration test and breach attack simulation(BAS)?

Gartner’s Anton Chuvakin in his blog describe the difference as follows:

“Penetration testing helps answer the question “can they get in?”; BAS tools answer the question “does my security work?””

In essence, A BAS’s main goal is to simulate security breaches on your internal network in order to assess how well your operational security controls are working. Breach attack simulation is typically automated and done via the tools.

Penetration testing’s goal is to see your company from the perspective of an attacker so that you may prevent their attacks before they happen. It simulates attempts to circumvent security measures in order to find problems with cyber security.

As it is clear that there are subtle differences between a pen test and BAS. Before we even begin investing in these, we must do the basics (asset discovery, risk based vulnerability management, essential security controls) right.

Recommended Resources

Cyber Risk Quantification: A CISO Executive Guide
How to Calculate your Enterprise’s Breach Risk
9 Slides Every CISO Must Use in Their Board Presentation
9 Slides Every CISO Must Use in Their 2024 Board Presentation
Oerlikon case study
Case Study
Oerlikon Reduces Patch Time and Improves Management-Level Cyber Risk Visibility