A ‘pen test’ (short for ‘penetration test’) is an attack on a computer system that is authorized by the system’s owner. The purpose? You find weak points before hackers do. For this reason, a cybersecurity professional who conducts pen tests is often called an ‘ethical hacker’.
What are the 5 most common types of pen tests?
Penetration tests come in many forms, but there are at least five major types of pen tests that everyone can agree on.
- Network, Cloud, and Wireless Penetration Tests
Network security is one of the most critical types of cybersecurity because it can serve as the ‘frontline’ barrier to hackers. If a hacker can’t breach your network, they won’t have a full range of access to your company’s files, systems, and hardware.
Network pen testers use several common hacking methods to gain access, including:
- Scanning for network vulnerabilities, including open ports
- Identify and exploit issues in routers or firewalls (i.e. configuration or bypass opportunities)
Cloud Computing and Pen Tests
The rise of cloud computing has increased the number of possible pathways into an organization and its files. In addition to traditional network problems such as firewalls, there may be problems with third-party storage vendors. In many cases, these vendors specifically allow or prohibit certain types of penetration tests (even for clients) to maintain tight security.
Wireless security is often designated as its own type of penetration test, due to the capabilities for unauthorized network access; address spoofing; and web-based malware. SQL injections are one of the most common types of attacks in this category. Using a web interface, the malicious code can query a user’s database for valuable information in a matter of seconds.
- Application Penetration Tests
Application penetration has crossover to the network and cloud security tests we mentioned but also includes key third-party web applications and their associated components. There are several common applications used widely across the web, such as Java applets, APIs, ActiveX controls, Silverlight, and more. Adobe Flash was often cited as a major security concern, famously leading Steve Jobs of Apple to decline to offer it on Apple devices.
- Client-Side Tests
Client-side tests are an important type of penetration test because they zero in on an individual user’s interaction with the network. Perhaps a specific user has not updated their software to account for a known security vulnerability or is using the web in a manner that increases the risk of encountering an application issue like the ones covered in the previous section.
There also needs to be an understanding of how much a bad actor ‘inside’ the system can do from a typical employee’s computer. After all, at that point, they have already gained network access, one of the most critical failsafes. (Note: sometimes, this sort of bad actor is lumped in with Social Engineering tests in the next section.)
- Social Engineering Tests
Not everyone who causes a security issue is a bad actor. Far more commonly, trusted and well-meaning employees fall victim to classic scams…a stunning 98% of cyber attacks focus on social engineering.
Phishing is the most well-known type of security issue to fall into this category. E-mails that look and read like valid communications turn out to contain attachments or links with some manner of malicious code; once opened, it can spread far more quickly than many people realize. In other cases, users are redirected to websites that appear legitimate to secure their username and password.
While firms have gotten better about teaching their employees to avoid phishing schemes, it remains one of the most popular types of attack. When it was reported that cybercrime increased by 600% (1)during the COVID-19 pandemic, people noted that the virus was used as a theme for luring employees to click malicious links.
Note that a phishing-style attack can happen in a medium other than email and websites. Vishing (voice phishing, such as via a fake phone number) and smishing (text messages) are common security problems as well.
In a scam called pre-texting, the hacker can develop an elaborate scenario to convince a user to give over critical information; for example, they might call about a recent purchase, inform the user they were overcharged, and ask for key personal information to ‘verify’ their identity before issuing a refund.
And how did they find out about the recent purchase? Dumpster diving. Hackers who want to penetrate the systems of a large company will think nothing of going through the trash to find valuable clues they can use to gain access, be it network diagrams or just projects or people they can namedrop to convince other employees they are legitimate members of the team.
- Physical Penetration Testing
If hackers are onsite to dumpster dive, they may just go for the gold and attempt a physical penetration. This is an often overlooked problem for businesses; swipe cards and building alarms can give a false sense of security. But what if everyone knows an RFID-locked door entry system will open with a hard physical push? Perhaps a company is susceptible to simple lock picking?
Or what if employees won’t question it if a person claiming to be part of the IT team shows up to ‘fix a virus’ on their laptop, and then says they have to take it back to the IT area to run a key update?
Employees of large companies are used to working with people they don’t recognize, and may assume that someone already in a passcard-protected area is a legitimate business associate. Personnel and vendor impersonation remain high-value types of penetration for hackers, because of the ability to access valuable information and equipment directly.
What does a pen tester need to know before running a test?
Imagine that you are a business and you want to run a penetration test. How much information should you give the ethical hacker you work with? This is a common question in pen testing, and there are a number of approaches people take.
White Box Pen Testing
In white box pen testing(4), the pen tester is given a high level of information about the firm’s information systems, security architecture, etc. They might even be given access to the firm’s latest vulnerability assessment to better understand how the firm views its own strengths and weaknesses.
The benefit of a white box pen test is that an ethical hacker can design specific, detailed attacks to test possible weak points. They also have valuable information they can use to develop complex social engineering attacks.
As engineering tasks are more informed, the more devastating their results can be – giving the firm an honest account of considerations they need to make in their overall information security architecture.
White box pen testing has an additional advantage; because the hacker does not have to spend their time gaining access to key systems and mapping them out from scratch, more time can be spent focusing on the identification and mitigation of vulnerabilities that hackers will seek to exploit once they do gain access.
Gray Box Pen Testing
Gray box testing generally involves providing the ethical hacker with enough information to target their efforts towards some clear area of concern. For example, a company may decide that the nature of their business limits the damage an unprepared hacker can do in a short amount of time.
They can focus their efforts on a specific area, such as identifying and mitigating the risk of long-term network access, and provide the pen tester with the necessary access or credentials to operate in such an environment.
Black Box Pen Testing
Black box pen testing(2) is meant to replicate the experience a hacker might have when they first approach a target. They may just know the company name and generally available public information about it, but they won’t have any inside knowledge to help them get started.
A black box pen tester is likely to begin with ‘easy’ intrusion methods and then build out their plan based on their results.
Black box testing is beneficial because it allows a company to get a sense of the time it would take an unfamiliar hacker to learn key details about their business and penetrate systems; it can also discover vulnerabilities or flows of information that have not been considered in the firm’s systems information architecture, and thus would have been overlooked in planned-out test.
Because a black box test usually ends once the hacker has gained entry or fulfilled some other intrusion benchmark, black box tests can be quick to run and provide an honest account of a hacker’s likely approaches to penetrating the company’s information security systems.
Authorizing and Communicating a Pen Test
Pen tests are critical tools for organizations to identify their own network vulnerabilities, but they require careful planning, tracking, and communicating. Key internal team members may need to be made aware of the test for security purposes, and external vendors will need to be aware that an authorized member of your firm may attempt to compromise their systems.
Most vendors are familiar with these tests and will be able to provide information on any process, limitations, and documentation that needs to be considered.
It is critical to note that, for their own security purposes, most vendors will not respond well to unauthorized penetration tests of their systems, and will view these as legitimate hacking attempts.
In addition, many key vendors place specific restrictions on their clients’ or vendors’ ethical hacking capabilities, and may respond with legal action if a firm attempts a breach outside of these boundaries.
For this reason, ethical hackers should always ensure they have proper documentation of their own authorizations, as well as a solid understanding of any parameter or limitations they must observe.
Careers in Penetration Testing
What makes for a great penetration tester? First things first: technical chops. A penetration tester needs to understand modern network and information security systems and design, so they can navigate a company’s network and understand the opportunities that they are being presented with.
They’ll also need to have strong capabilities in a full range of hacking and information research capabilities, and the persistence to find a way to achieve their goals however possible.
Penetration testers also have to stay at the cutting edge of the information security field to understand how opportunities and vulnerabilities change moment-to-moment.
Flatiron School Covers Pen testing in Cybersecurity
Most cyber security courses, degrees, and certifications will have significant coursework designed to cover penetration testing. These can provide a strong foundation for professionals seeking to pursue a career in penetration testing.
What certifications are available for pen testing?
There are also numerous certifications available, including the Certified Ethical Hacker and Licensed Penetration Tester.
With a certification, you can communicate to your current or prospective employer that you have independent confirmation of the unique range of skills required to be a pen tester.
Flatiron School Adds to the Real World It Experience
Of course, there is no replacement for real-world experience. IT and information security professionals interested in a career as a pen tester should inquire with their firm to be part of a pen testing team.
Independent contractors should use their networks to identify trusted relationships; it goes without saying that firms will need to have a high level of trust in individuals they authorize to compromise their own systems.
Penetration testing remains a critical information security career path, and requires a strong level of hard skills combined with traits such as persistence, security, psychology, and a love of solving puzzles.
With the ongoing growth in cybercrime, there figures to be an expanded need for ethical hackers in the years to come, making it a solid career choice for those who wish to pursue information and cyber security in the long-term.