Any business that uses computers—which, in this day and age, means virtually any business—needs to have a robust security system in place to prevent malware and malcontents from doing any damage to them, or worse, to their customers. But not every security solution is a program or a piece of network architecture. Companies and industries have security policies of best practice so that the human element of safeguarding data is not ignored. Part of this is regular pen testing.
What is Pen Testing?
Pen testing, or penetration testing, to give it its full title, is where an organization hires experts to attempt to gain access to their systems without permission. In so doing, the experts can identify any flaws in the existing security measures, and offer tailored solutions that can be implemented to prevent any real cybercriminals from exploiting them. There are two kinds, detailed below.
Internal Penetration Testing
The purpose of these tests is to determine how much access someone has to a system if they do not have any special permissions on the system, but do have access to the organization’s physical premises. This can protect you from practices like industrial espionage, where rivals might try to access your system with an agent on the inside.
The tester or testers will begin the test without any system credentials and then take whatever steps they can in the physical environment to acquire them and grant themselves high-level access to the system sufficient to access sensitive files such as a company’s financials, R&D documentation, or customer payment card information.
External Penetration Testing
These tests exist to model the kind of thing you’d usually imagine when you picture a cyber attack. That means that testers will attempt to access sensitive data remotely, using the standard, limited access you would expect any bystander to have to an organization’s internet environment, i.e.: their website or sites.
This puts a system’s measures against intrusions, such as firewalls and Intrusion Detection Systems, through their paces and explores how one system interacts with others.
There are other distinctions among pen tests, such as between black, grey, and white box testing, which are names for the different levels of information about the target’s infrastructure the tester may begin with and will affect the tactics they employ.