Penetration testing is a type of test that helps to identify what kinds of attacks an infrastructure is vulnerable to. It involves intentionally trying to attack the system in order to find its weaknesses and devise ways to defend them. This process is usually conducted through a third party.
Penetration tests can target different parts of the infrastructure and presume different types of attacker. For example, in a black box test, the team conducting the test is not given information about the organisation’s infrastructure, whereas in a white box test, they are given all of the information about the system (for example, what kinds of OSes are in use, where different kinds of data are stored, who has access to which systems, etc.).
An organisation might conduct a penetration test on its internal network to find vulnerabilities in the way in which data is secured and stored, or on its external network, to find leaks or other vulnerabilities in the way in which it connects to the outside world. It might conduct a penetration test on its client-facing infrastructure, for example, by testing its website with an SQL injection.
Penetration tests are not just carried out on the organisation’s computers — a penetration tester might send phishing emails to the employees to see if an attack could be facilitated through human error.
A key element of penetration testing is the production of a report, usually in the form of a risk assessment, which allows the organisation to determine which attacks it is vulnerable to, and how cost-effective it would be to take steps to prevent them.
Another continuous cycle of improvement
As you learned last week, providing any form of computer security is a constant and cyclical process. The same is true of penetration testing, which involves multiple steps of research and attack. Companies often run penetration tests annually, or more regularly if they have introduced new systems, or if they want to check that a vulnerability has been fixed.
A penetration test might be conducted in stages (just as software is often tested module by module, as you learned in Week 2). These tests are also often performed outside of usual working hours. This is because devastating attacks that take entire systems offline or otherwise disrupt the ability of an organisation to function as normal can be extremely costly. Penetration testing is designed to prevent these kinds of losses, so it would be counterproductive to overwhelm the system with lots of attacks, or to attack the system when it is in use.
Why organisations use penetration testing
Even though penetration tests cost money, if they help an organisation to prevent more costly attacks in the future, they can save the organisation money overall.
However, this is not the only motivation for organisations to conduct a penetration test. If an organisation handles sensitive data, it may be required by law to protect the data from theft or corruption. This obligation extends to preventing potential attacks.
In addition, the report produced in a penetration test can be used to demonstrate that an organisation has taken reasonable steps to protect the data that it holds.
In the next step, you will look at some of the key security principles that have been shared in this course.
- What kind of attacker is being simulated in a black box test, and what kind of attacker is being simulated in a white box test?
- Why might it be important for an organisation to hire a third party to conduct its penetration test?
Share your answers in the comments
Suggested classroom exercise
To help your students to understand the penetration test process, and to get them thinking about infrastructure vulnerabilities more generally, you could ask them to design their own companies and penetration tests.
Split your class into groups and ask each group to design their own data company (for example, a social media platform or a telemarketing company). In the first stage of the exercise, each group should describe their company’s infrastructure (for instance, how many employees it has, who has access to what data, where the data is stored, etc.). They could give presentations to explain their companies, or write reports.
In the second stage, each group should design a penetration test on a different group’s company. To do this, they will need to think about the security infrastructure and where the potential vulnerabilities are likely to be, and think of strategies to exploit these vulnerabilities. For ideas on how to get started, you can direct your students to adverts for real penetration tests. You can find an example here.