According to Kevin M. Henry, author of the ITGP bestseller Penetration Testing – Protecting Networks and Systems, penetration testing is “the simulation of an attack on a system, network, piece of equipment or other facility, with the objective of proving how vulnerable that system or target would be to a real attack.”
Penetration testing is a carefully planned process that doesn’t begin with the attack: there is a lot of studying of the target, its strengths and weaknesses, as well as a good knowledge of tools and techniques used to break into the target’s system. Ethical hackers are trained to think like their more dangerous cousins, the black-hat hackers – the only difference is that their purpose is to find vulnerabilities to get them patched before their less ethical cousins find and exploit them.
As the author highlights in his book, the penetration testing process is composed of four steps:
First things first: study the target. Ethical hackers carefully analyse the organisation, its strengths and weaknesses, its responsiveness to the unexpected, and collect all the information they need to determine and develop the attack. They gather information directly from the company itself as well as from public sources.
Secondly, ethical hackers begin scanning the website or system for vulnerabilities and weaknesses they can later exploit for the targeted attack.
At this point, they are ready to develop the strategy for the attack. Thanks to the information they’ve gathered so far, they can decide which tools and techniques to use to best hit the system. Social engineering attacks, SQL injections, malware – they have a wide range to choose from.
The final phase is the attack itself. Using the tools or techniques identified in the previous step, they exploit the vulnerability to break into the organisation. Mission accomplished.
Once the test is completed, ethical hackers usually provide the organisation with a detailed report of the vulnerabilities found, the description of the attack they performed and recommended actions to make the organisation more secure.
Deal with the best – IT Governance’s certified ethical hackers
IT Governance is a CREST-accredited company, which means that it has been verified as meeting the rigorous standards mandated by CREST. All of our penetration testing services, performed by qualified ethical hackers, combine a series of manual assessments with automated scans to provide a good overview of an organisation’s security posture.