What Is a Penetration Test?
Penetration Test definition:
Penetration testing is a technique used to identify security vulnerabilities within a system, network or application that could be exploited by attackers. Penetration testing may be conducted by manual testers who employ a variety of techniques and strategies or via penetration-testing tools and advanced, automated breach and attack simulations.
To protect an environment from determined attackers, computer security professionals need to understand the strengths and weaknesses of their existing security controls and environment. Penetration testing is a technique that helps organizations gauge the strength of their current defenses by engaging in a simulated attack under controlled conditions.
Manual tests involve a penetration-testing team, sometimes also known as “ethical hackers” or a “red team.” These teams comprise skilled security personnel who then attempt to penetrate a network, system or application by launching various attacks. Prior to launching attacks, red teams will evaluate the target and identify possible weaknesses or entry points. These vulnerabilities may be digital or located in the “real world” — lax security surrounding a facility may be exploited, for example.
During red team penetration testing, a blue team will typically be engaged to defend the security environment from these attacks. Blue teams will assess the existing state of security readiness, then attempt to deter red team attacks. Both teams ultimately work together to uncover the true state of organizational security and issue reports detailing what the penetration test uncovered.
These recommendations are generally compiled in report form and presented to IT and system managers, who use the information to make strategic decisions as to how to prioritize any remediation steps that may be necessary. As the results of a penetration test filter throughout an organization, adaptions can be made to prevent the same vulnerabilities or problems from arising again.
Penetration-testing teams may pursue any number of different test strategies. These include tests that target external servers or devices, tests that imitate an attack behind a firewall by an authorized user (the “disgruntled employee” scenario), so-called “blind” tests that limit the amount of information the testing team is provided, or targeted test strategies in which all parties work together with maximum visibility during the test period.
In addition to identifying security vulnerabilities, penetration testing can be used to evaluate compliance adherence, organizational security policies, employee security awareness, or an organization’s ability to quickly and effectively respond to identified vulnerabilities or problems.
Automated Penetration Testing Tools
While manual red and blue team testing is effective, it also has drawbacks: It’s highly manual, dependent on human skill and resource-intensive. This means that manual penetration tests are not run with great frequency — weeks or months typically pass between red team/blue team exercises. Some organizations may only run them annually or when major changes occur (such as the addition of new infrastructure or substantial upgrades or modifications). This means that organizations lack full-time visibility into the state of organizational defenses.
To help solve this problem, a penetration-testing tool is needed. Many of these software solutions are the same methods that black hat hackers wield: password crackers, network sniffers or protocol analyzers, etc. Additionally, many organizations are deploying newer tools that follow standard penetration test methodology, but they apply them in an automated and continuous fashion. One such example comes in the form of breach and attack simulation platforms. These solutions launch red team-style attacks on a 24/7 basis to identify vulnerabilities, then provide prioritized remediation recommendations when vulnerabilities are uncovered.
Because of their automated nature, these simulated attacks can protect a security environment on a continuous basis, preventing knowledge gaps from forming during the downtime between manual penetration tests.