What is Penetration Testing?

The Comprehensive CCL Group Guide to Penetration Testing.

In 2018 organisations of all sizes were falling victim to the increasing threat of  cyber attack on a daily basis. Notable data breaches included 500 million records from Marriot Hotels, over 30 million records from Facebook and 380 thousand British Airways customers who’s credit card information and personal details were stolen. It is estimated in the first half of 2018 alone over 4.5 billion records were compromised within major organisations.

It is unsurprising then that, globally the penetration testing market is estimated to grow at a rate of 13.9% annually between 2017 and 2027. The UK market is a key contributor to this growth. But what is penetration testing? What types of penetration testing are there and which is right for your business?

Read on to find out the answers to these questions and get our specialist guidance on securing your digital infrastructure with penetration testing services that are specific to you...

Penetration testing explained

Penetration testing is a form of ethical hacking. Through simulation of latest cyber attacker technology and techniques, trained digital specialists mimic the activity of online criminals to assess the strength of your infrastructure.

Similarly, penetration tests also allow your business to assess the coherence of your security policy, security awareness of employees, compliance and the effectiveness of your incident response.

Simulating a digital attack allows businesses to identify and eliminate exploitable vulnerabilities before an external breach occurs. Testing can be applied to any number of application systems, application protocol interfaces (APIs), frontend/backend servers and inputs that may be vulnerable to a code injection attack.

 A typical test will take around one or three weeks, but this will vary depending on engagement size, the number of systems being tested and the type of penetration testing being carried out. See the different types of test listed below…

The basics of penetration testing...

External testing

Targeting of online assets, in other terms those which are visible to the internet. This can include web applications, websites, emails and domain servers. Specialists attempt to access and extract valuable data utilising the same methods and information that would be available to hackers based on your businesses web presence.

Internal penetration testing

Simulation of a malicious insider. Testers have access to applications behind your firewall, which doesn’t necessarily simulate a rogue employee. One of the most common scenarios this imitates are those where credentials have been stolen through hacker methods like phishing.

Types of penetration testing. Which service is the best fit for you?

Blind testing or Black box penetration testing

Testers are given only the basics of information, such as the target business. This is the most realistic method of penetration testing, allowing your business to understand in real time how an infrastructure attack would occur.

 Because of the nature of blind testing, it can time longer to complete than other forms of testing. This is because with no information on application structure, source code or software architecture, testers must adopt a trial and error method.

Double blind testing

Security personnel and internal teams are given no prior knowledge of the simulated cyber breach attempt. This gives teams no time to bolster digital defences, matching a real world scenario.

Targeted testing or white box penetration testing

A form of testing which relies on full communication between the tester and security personnel. This often proves invaluable as a source of training for IT security teams. Real time feedback provides an education on the methods and technologies attackers utilise.

Testers are able to complete attack simulations faster with prior system knowledge. Additionally testing can be seen as more detailed, because simulated system intrusion means that multiple potential vulnerabilities can be identified and exploited.

Grey box penetration testing

Combining both white box and black both penetration testing, grey box testing gives attack simulators a partial knowledge of your infrastructure. This allows testers to focus on target areas and identify even the most hidden infrastructure vulnerabilities.

If you have found this blog useful. Feel free to share it below. To get in touch with our cyber security team, please leave your details below…