What is Penetration Testing?
A penetration test is also known as a pen test, is an authorized simulated attack on a computer system, performed to evaluate the security of the system. The test is performed to identify both weaknesses, including the potential for unauthorized parties to gain access to the system’s features and data.
A penetration test can help determine whether a system is vulnerable to attack if the defenses were sufficient, and which defenses (if any) the test defeated.
The testers should target the following network areas in their penetration tests.
- Firewall config testing
- Stateful analysis testing
- Firewall bypass testing
- IPS deception
Also, there are a set of software modules which the penetration test should cover are as follows.
- SSH client/server tests.
- Network databases like MYSQL/SQL Server.
- Exchange or SMTP mail servers.
- FTP client/server tests.
=> There are five types of penetration testing,
1.Network Service Tests 2. Web Application Tests 3. Client Side Tests 4. Wireless Network Tests 5. Social Engineering Tests
Why is the Penetration Testing required?
Penetration testing to identify vulnerabilities and ensure on a regular basis that the cyber controls are working.
Organisations need to conduct regular testing of their systems for the following key reasons:
- To determine the weakness in the infrastructure (hardware), application (software) and people in order to develop controls
- To ensure controls have been implemented and are effective – this provides assurance to information security and senior management
- To test applications that are often the avenues of attack (Applications are built by people who can make mistakes despite best practices in software development)
- To discover new bugs in existing software (patches and updates can fix existing vulnerabilities, but they can also introduce new vulnerabilities)
How often to conduct pen testing?
Pen testing should be conducted regularly, to detect recently discovered, previously unknown vulnerabilities. Testing should be at least annually, and maybe monthly for internal vulnerability scanning of workstations, standards such as the PCI DSS recommend intervals for various scan types.