What is Penetration Testing?
Penetration testing can be referred to by many different terms including pen testing, ethical hacking, an IT health check or information security consulting but they are generally all referring to the same activity. Penetration testing can be defined as the process of simulating a cyber attack on computer systems for the purposes of discovering and eliminating security vulnerabilities.
The aim of penetration testing, is to identify security weaknesses in the client's systems by probing the systems for known vulnerabilities (or known classes of vulnerability). The client then has the opportunity to rectify the security issues which were identified in the testing phase and hence can improve the security of their systems against cyber attack. Vulnerabilities are usually collated in a final penetration test report and are classified according to the technical/business impact of the issue and the likelihood of each vulnerability being exploited. For each identified vulnerability, the report will detail appropriate steps that can be taken to mitigate the risk of the issue being exploited (e.g. the fix may involve installing a patch from the vendor's website). Penetration testing is an established and effective method to improve the security of computer systems. There are generally two approaches to penetration testing with advantages and disadvantages to each method, namely white box testing and blackbox testing. ReactionIS would normally use a combination of both testing methods to give an accurate picture of a client's security exposure.
What is Black Box Penetration Testing
Black box testing is where the penetration tester is given very minimal information about the target systems. This is to mimic the level of information a typical attacker might have and can provide an accurate picture of the security of the client's systems from the perspective of a would-be attacker. Whilst this information is useful, it may not provide a complete picture of the security of the target systems. There may be more security vulnerabilities in the target systems which could have been uncovered if the attacker had been given more information at the outset of the test.
What is White Box Penetration Testing
A penetration test is called white box testing if the consultant is given information about the target systems prior to and during the engagement. With this knowledge the consultant is often able to uncover more vulnerabilities than with the black box testing approach and therefore the systems may be considered more secure if the white box testing approach is used.
What is Network Penetration Testing
There are various different types of networks that can expose security vulnerabilities to attackers including external networks (Internet-facing), internal networks, DMZ networks, private networks, VPN's and wireless networks. Standard network penetration testing assesses these networks for common security vulnerabilities including weak encryption ciphers, weak encryption protocols, default login accounts or weak passwords, buffer overflows and format string attacks, vulnerable web server software, insecure database services, weak remote administration services, unencrypted network services, vulnerable network services and potential Denial of Service attacks.
What is Web Application Penetration Testing
Web application penetration testing is the process of assessing the pages and parameters of websites and web applications to test for issues which could be leveraged by an attacker to compromise the confidentiality, integrity or availability of the website. Common web application security flaws include SQL injection, Cross-Site Scripting, broken authentication and session management, insecure encryption implementation and potentially dangerous redirects and forwards amongst others. Testing often involves proxying the HTTP requests to the website and modifying the data to attempt to discover security issues.
Please see our penetration testing services page for more details.