What is penetration testing?

Let’s start with a simple definition.

What is penetration testing?

Penetration testing is a type of test that helps to identify what kinds of attacks an infrastructure is vulnerable to. It involves intentionally trying to attack the system in order to find its weaknesses and devise ways to defend them. This process is usually conducted through a third party.

Black-box and white-box tests

Penetration tests can target different parts of the infrastructure and presume different types of attackers. For example, in a black-box test, the team conducting the test is not given information about the organisation’s infrastructure.

In a white box test, they are given all of the information about the system (for example, what kinds of OSes are in use, where different kinds of data are stored, who has access to which systems, etc.).

Finding vulnerabilities

An organisation might conduct a penetration test on its internal network to find vulnerabilities in the way in which data is secured and stored, or on its external network, to find leaks or other vulnerabilities in the way in which it connects to the outside world.

It might conduct a penetration test on its client-facing infrastructure, for example, by testing its website with an SQL injection.

Sending phishing emails to employees

Penetration tests are not just carried out on the organisation’s computers — a penetration tester might send phishing emails to the employees to see if an attack could be facilitated through human error.

A key element of penetration testing is the production of a report, usually in the form of a risk assessment, which allows the organisation to determine which attacks it is vulnerable to, and how cost-effective it would be to take steps to prevent them.

The continuous cycle of improvement

Providing any form of computer security is a constant and cyclical process. The same is true of penetration testing, which involves multiple steps of research and attack.

Companies often run penetration tests annually, or more regularly if they have introduced new systems, or if they want to check that a vulnerability has been fixed.

Penetration tests in stages

A penetration test might be conducted in stages (just as software is often tested module by module. These tests are also often performed outside of usual working hours.

This is because devastating attacks that take entire systems offline or otherwise disrupt the ability of an organisation to function as normal can be extremely costly.

Penetration testing is designed to prevent these kinds of losses, so it would be counterproductive to overwhelm the system with lots of attacks or to attack the system when it is in use.

Why do organisations use penetration testing?

Even though penetration tests cost money, if they help an organisation to prevent more costly attacks in the future, they can save the organisation money overall.

However, this is not the only motivation for organisations to conduct a penetration test. If an organisation handles sensitive data, it may be required by law to protect the data from theft or corruption. This obligation extends to preventing potential attacks.

In addition, the report produced in a penetration test can be used to demonstrate that an organisation has taken reasonable steps to protect the data that it holds.

To learn more about penetration testing, check out the full online course, from the Raspberry Pi Foundation, below.