What is penetration testing? | Process & methods
Penetration testing definition
Penetration testing (also known as pen testing or ethical hacking) is a systematic process of probing for vulnerabilities in your networks and applications.
It is essentially a controlled form of hacking — the ‘attackers’ act on your behalf to find and test weaknesses that criminals could exploit, such as:
- Inadequate or improper configuration.
- Known and unknown hardware or software flaws.
- Operational weaknesses in processes or technical countermeasures.
Experienced penetration testers mimic the techniques used by criminals without causing damage. This enables you to address the security flaws that leave your organisation vulnerable.
Why is penetration testing important?
New cyber security vulnerabilities are identified – and exploited by criminals – every week.
Proactively identifying them is essential to your organisation’s security.
Only a penetration test carried out by a trained security professional can give you a proper understanding of the security issues you face.
To protect yourself, you should regularly conduct penetration tests to:
- Identify security flaws so that you can resolve them or implement appropriate controls.
- Ensure your existing security controls are effective.
- Test new software and systems for bugs.
- Discover new bugs in existing software.
- Support your organisation’s compliance with the EU GDPR (General Data Protection Regulation) and DPA (Data Protection Act) 2018, and other relevant privacy laws or regulations.
- Enable your conformance to standards such as the PCI DSS (Payment Card Industry Data Security Standard).
- Assure customers and other stakeholders that their data is being protected.
Types of penetration testing
Different types of pen testing will focus on various aspects of your organisation’s logical perimeter. This boundary separates your network from the Internet.
Infrastructure (network) penetration tests
Infrastructure vulnerabilities include insecure operating systems and network architecture, such as:
- Flaws in servers and hosts;
- Misconfigured wireless access points and firewalls; and
- Insecure network protocols (the rules that govern how devices such as modems, hubs, switches and routers communicate with each other).
Network penetration tests aim to identify and test these security flaws.
Types of infrastructure penetration test:
External infrastructure (network) penetration tests
External penetration tests identify and test security vulnerabilities that might allow attackers to gain access from outside the network.
Learn more about external network penetration testing
Buy an infrastructure (network) penetration test
Internal infrastructure (network) penetration tests
Internal penetration tests focus on what an attacker with inside access could achieve. An internal test will generally:
- Test from the perspective of both an authenticated and non-authenticated user to assess potential exploits;
- Assess vulnerabilities affecting systems that are accessible by authorised login IDs and that reside within the network; and
- Check for misconfigurations that could allow employees to access information and inadvertently leak it online.
Learn more about internal network (infrastructure) penetration testing
Wireless network penetration tests
If you use wireless technology, such as Wi-Fi, you should also consider wireless network penetration tests.
- Identifying Wi-Fi networks, including wireless fingerprinting, information leakage and signal leakage;
- Determining encryption weaknesses, such as encryption cracking, wireless sniffing and session hijacking;
- Identifying opportunities to penetrate a network by using wireless or evading WLAN access control measures; and
- Identifying legitimate users’ identities and credentials to access otherwise private networks and services.
Learn more about wireless network penetration testing
Buy a wireless network penetration test
Web application (software) penetration tests
Web application tests focus on vulnerabilities such as coding errors or software responding to certain requests in unintended ways.
- Testing user authentication to verify that accounts cannot compromise data;
- Assessing the web applications for flaws and vulnerabilities, such as XSS (cross-site scripting) or SQL injection;
- Confirming the secure configuration of web browsers and identifying features that can cause vulnerabilities; and
- Safeguarding database server and web server security.
Learn more about web application penetration testing
Buy a web application penetration test
All our penetration testing services can be delivered remotely
Learn more about online penetration testing:
Remote access penetration testing
Remote compromise penetration testing
Speak to an expert
For more information on how our CREST-accredited penetration testing services can help safeguard your organisation, call us now on
+44 (0)333 800 7000, or request a call back using the form below.
Get in touch
IT Governance’s penetration testing solutions
Our CREST-accredited penetration testing services have been developed to align with your business requirements, budget, and value you assign to the assets you intend to test.
Our level 1 penetration tests are suitable for organisations that want to identify the common exploitable weaknesses targeted by opportunistic attackers using freely available, automated attack tools.
For those with more complex objectives, or who require a more detailed exploration of complex or sensitive environments, our Technical Services team can provide additional expertise in the form of a level 2 test.
Contact us today to discuss your penetration testing needs.