Your Penetration Testing, Ethical Hacking and Vulnerability Assessment Questions answered.
Updated: Jan 10
In this blog we will answer some of the most common questions that you may have surrounding Penetration Testing, Ethical Hacking and Vulnerability assessment. This should provide insight and help dispel some of the myths and misconceptions surrounding these cyber security services.
What is Penetration Testing?
Penetration testing or ‘pen testing’ is a simulated cyber attack that is performed against an organisation’s IT network, web applications or other technology systems by an individual, or team of security specialists, whose ‘pen test’ engagement is authorised by the organisation and designed to validate the security of the target.
Any detected cyber security issues are further researched to prove whether their exploitation could result in an undesirable or unintended information security outcome for the organisation – such as a malicious or bad actors’ inappropriate access to sensitive data within the vulnerable technology system.
Is Penetration Testing ‘Hacking’?
Yes, but ‘hacking’ or ‘hacker’ shouldn’t be thought of as a negative term.
‘Hackers’ are a positive force that drives technology change, progress and innovation – we at CovertSwarm prefer ‘ethical hackers’ as a positive term, with ‘bad’ or ‘threat actor’ being the names that the cyber industry tends to use to describe those intent on compromising online platforms, services and their hosting organisations.
What is an ’Ethical hacker’?
We most commonly see the impact of cyber-vulnerable technology systems being exploited through the increasingly common press reports of ‘cyber breaches’, ‘digital defacement’ or ‘cyber attack.’
Ethical hackers are known, trusted and employed by businesses to approach their ‘hacking’ into a target organisation by using an array of cyber techniques to produce a testing methodology that is tailored to the organisation’s systems being pen tested. An ethical hacker’s objective is always to work to better-secure the cyber security of the target organisation through their skilled research and attack simulations.
Penetration Testing vs. Ethical Hacking
Penetration Testing and Ethical Hacking are inextricably linked:Ethical Hacking is the methodology used by the individuals who perform Penetration Tests.
Penetration Testing vs. Vulnerability Assessment.
A penetration test should not be confused with a ‘Vulnerability Assessment’: these assessments take the form of a machine-led process that utilises softwareautomated scanning tools. A pen test uses human insight and skill to penetrate the target whereas a vulnerability assessment can be less effective at bringing together a blend of approaches to identify and prove a breach is possible. It is worth noting that common security frameworks – such as PCI-DSS - mandate both pen tests AND vulnerability assessments be performed periodically by businesses within certain industries.
What tools are used in a Penetration Test?
The tools used to perform a pen test are often similar to those used by genuine ‘bad actors.' As a result, for organisations that engage with ethical hackers to perform pen tests, their ‘real world’ approach returns genuine value in the form of gained assurance as to the health of the cyber security of the organisation’s tested systems.
Some common Penetration Testing tools include:
· NMAP (https://nmap.org) is a network discovery and security auditing tool.
· Metasploit (https://www.metasploit.com) is a framework for exploitation and penetration testing
· John The Ripper (https://www.openwall.com/john/) is a password cracking tool.
· Burp Suite (https://portswigger.net/burp) is a web application testing tool and framework.
· Kali Linux (https://www.kali.org) is Linux distribution filled with some of the most common testing tools and is a great starting point to learn.
What should a Penetration Test cover?
The coverage of a pen test is defined as a ‘Scope’: This details the systems to be tested, and the time (usually a small number of days) that should be allocated to testing each asset within the scope. A scope is agreed between the organisation’s CSO, CISO or CTO and the pen test vendor in advance of them engaging their ethical hackers.
Example scopes (usually identified via IP addresses, hostnames or URLs) can include a list of:
· Web Applications (WebApps)
· Application Programming Interfaces (APIs)
· External/internal/wireless networks
· Physical locations
For physical sites (offices, factories etc.) these are normally tested using Social Engineering techniques such as an ethical hacker impersonating a delivery person or member of staff in order to gain unauthorised access to these protected facilities.
What forms do Penetrations Tests take?
Pen testing can take a one of three forms:
1. ‘Open Book’ or ‘Open Box’ testing - where the ethical hackers are provided with full access to the organisation’s software code, technology or product design documents, existing threat models and/or user credentials.
2. ‘Closed Book’ or ‘Closed Box’ testing - where the organisation only discloses the target for testing and asks that the pen test vendor proceeds with limited or no prior information.
3. ‘Half-Open Book’ or ‘Half-Open Box’ testing - which is a balanced approach between ‘Open’ and ‘Closed’ methods where some, but not all, information is provided to the testers.
‘Open Book’ testing tends to provide the most depth and value, whereas ‘Closed Book’ testing is typically the least effective approach but can more closely simulate a genuine adversary's methods of attempting to breach an organisation.
What output should I expect to receive from a Penetration Test?
The output an organisation receives from a penetration test normally takes the form of a PDF or Excel document. Some vendors will provide access to their testing results via bespoke, online platforms or portals that provide the added benefit of allowing for a greater degree of interaction with a specific test’s results, as well as analysis of findings that span across multiple testing projects.
Why do I need a Penetration Test?
The need to employ a pen test is often driven by a compliance requirement (such as PCI-DSS) or from a third-party vendor assurance program employed by a supply-chain partner or client who requires one to ensure that their commercial partner’s security health is adequate. However, as the commercial risk and impact that can result from online cyber attacks continues to heighten, it is increasingly common for organisations to perform pen testing voluntarily in order to gain a ‘snap shot’ view of their cyber security health:
Whilst this is a positive move for an organisation to gain insights into its cybersecurity health, it is worth noting that traditional penetration testing is point in time and time limited. These factors combined with a limited scope and ever-changing technology estate within an organisation can lead to a false sense of cyber security for organisations who may not consider the undetected cyber risk gap that exists outside of the scope of testing, or between ad-hoc cyber security approaches such as traditional pen testing.
Penetration testing is an essential part of a blended approach to creating defence in depth for any organisation that is serious about its cyber strategy. Pen tests do not offer a ‘silver bullet’ solution but do provide a positive step towards heightened cyber security.
Is there a more modern approach to Penetration Testing?
A modern penetration testing approach – one that is continuous and deeply aligned to the technology stack within an organisation - is something that CovertSwarm delivers as part of its unique, offensive Constant Cyber Attack service. We reproduce the 24/7 offensives that real-world bad actors employ, and through our modern and highly specialised approach we elevate the cyber value that can be unlocked for our clients who have upgraded to use our holistic, continuous security service.
Have more questions?
Speak to us today and we will happily answer any additional questions you have, whilst also providing you some deeper insight into CovertSwarm’s Constant Cyber Attack service.