Types of penetration testing
If you are thinking about performing a penetration test on your organisation, you might be interested in learning about the different types of tests available. With that knowledge, you’ll be better equipped to define the scope for your project, hire the right expert and, ultimately, achieve your security objectives.
What is penetration testing?
Penetration testing, commonly referred to as “pen testing”, is a technique that simulates real-life attacks on your IT systems to find weaknesses that could be exploited by hackers. Whether to comply with security regulations such as ISO 27001, gain customer and 3rd party trust, or achieve your own peace of mind, penetration testing is an effective method used by modern organisations to strengthen their cyber security posture and prevent data breaches.
Read about the different types of penetration testing to find out which type you can benefit from the most:
Network penetration testing
As the name suggests, a network penetration test aims to identify weaknesses in your network infrastructure, be that on the premises or in cloud environments. It is one of the most common and crucial tests to perform to ensure the security of your business-critical data. Network penetration testing covers a broad range of checks, including insecure configurations, encryption vulnerabilities, and missing security patches in order to determine the steps a hacker could take to attack your organisation. Security professionals often categorize this test into two different perspectives: external and internal.
External penetration testing involves searching for vulnerabilities that could be exploited by any attacker with access to the internet. In this scenario, penetration testers are trying to get access to your business critical systems and data in order to determine how an attacker without any prior access or knowledge would be able to target your organisation. You can think of this test as being performed from the perspective of an "outsider".
In contrast, internal penetration testing is concerned with testing your internal corporate environment. This type of testing considers scenarios in which an attacker has managed to gain an initial foothold within your corporate network, for example by exploiting a vulnerability in one of your internet-facing systems, or through the use of social engineering. In this case, the test is performed from an “insider” perspective, with an objective of finding a way to steal sensitive information or disrupting the operations of an organisation.
Generally speaking, external weaknesses are considered to pose a more serious threat than internal. For one thing, a hacker has to overcome an external security barrier before accessing your internal networks and pivoting to other systems. If you haven’t conducted any kind of penetration testing before, an external or “perimeter” test is often the best place to start, as the perimeter is the easiest thing for attackers to get to. If you have trivial vulnerabilities in your internet-facing infrastructure, that’s where the hackers will start.
Web application penetration testing
Web application penetration testing attempts to uncover vulnerabilities across websites and web applications, such as e-commerce platforms, content management systems, and customer relationship management software. This type of test deals with reviewing the entire web application's security, including its underlying logic and custom functionalities, to prevent data breaches.
Some of the common vulnerabilities detected during a web app penetration test include database injections, cross-site scripting (XSS), and broken authentication. If you are interested in learning more about different types of web application weaknesses, their severity and how you can prevent them, the Open Web Application Security Project (OWASP) Top 10 is a great place to start. Every few years OWASP publishes information about the most frequent and dangerous web application flaws, basing its findings on the data collected from many thousands of applications.
Considering the prevalence of web applications in modern organisations, and the valuable information that they transmit and store, it is unsurprising that they are an attractive target to cyber criminals. According to Verizon’s “2020 Data Breach Investigations Report”, the proportion of data breaches tied to web application vulnerabilities doubled year-on-year reaching 43% in 2019. For this reason, organisations that are developing or managing their own internet-facing applications should strongly consider conducting web application penetration testing.
Automated penetration testing
The objective of an automated penetration test is to find security weaknesses through automating manual network or web application penetration testing processes. An automated penetration test typically implies the use of vulnerability scanners, which have thousands of checks to probe systems and identify security issues that could be exploited by a hacker.
Manual penetration tests are commonly performed once or twice per year due to their complexity and cost. However, with over 10,000 vulnerabilities detected every year, there is a high risk of a system breach in the period between the tests. To achieve continuous protection, it is beneficial to supplement manual penetration tests with automated tests, which are generally cheaper and can be scheduled to run periodically or on-demand.
While humans excel at detecting highly complex security flaws that may not be found by machines, automated tools can help you catch some very serious vulnerabilities. One example is exposed databases, which could lead to damaging data breaches if not corrected promptly. Our own research shows that it could take a mere 9 minutes for someone to breach an unsecured database, so it is important to act quickly if you want to stay protected. With the help of automated tools, you can react as soon as new threats are discovered, keeping an eye on your systems 24/7.
If you want to see an automated penetration testing tool in action, Intruder offers a free 30-day trial, so you can take it for a spin. And if you’re interested in finding more about the differences between manual and automated penetration testing, we’ve written a more in-depth blog post on this subject.
In comparison to previously described penetration testing types, which focus on finding weaknesses in technology, social engineering attempts to compromise the security of an organisation by exploiting human psychology. It can take a variety of forms and could be executed both remotely, for example by trying to obtain sensitive information from users through phishing emails or phone calls, or on-site, in which case a penetration tester will attempt to gain access to a physical facility. In all cases, an objective of this penetration test is to manipulate individuals, usually the company’s employees, to give away valuable information.
The success of a social engineering penetration test largely depends on the information gathered in the “reconnaissance” phase, which involves researching targeted individuals or an organisation by using publicly accessible open source intelligence (OSINT). After building a more precise image of their target, a penetration tester can use discovered information to proceed with the creation of a tailored attack strategy. One of the most common attack vectors in social engineering is a phishing attack, usually delivered by email. When performing a phishing attack, a penetration tester does not necessarily stop when an unsuspecting employee clicks on a malicious link, but can go further, attempting to steal user credentials and get access to an employee's laptop. Such attacks can be extremely successful, especially when performed by experienced penetration testers. You can read about some of the famous examples here.
Social engineering penetration testing is not as widely adopted as network or web application testing. However, if your organisation is already doing regular security awareness training, conducting a dedicated social engineering test can be a great addition to your arsenal for identifying and fixing security issues in your operations.
This advanced technique has its origin in military training exercises. It is designed to challenge an organisation’s security, processes, policies and plans by adopting an adversarial mindset. In contrast, Blue teaming, otherwise known as “defensive security”, involves detecting and withstanding Red team attacks as well as real-life adversaries.
Red Teaming combines digital, social and physical domains to implement comprehensive real-life attack scenarios. As such, Red Teaming can be considered a distinct operation from penetration testing, but since its tasks span all of the penetration testing types described above, we thought it was worth mentioning it in this article.
An objective of a standard penetration test is to find as many vulnerabilities as possible within a given timeframe. The breath of this test is naturally limited by the scope of work; but real-life adversaries don’t have such artificial restrictions to follow. As a result, even if an organisation regularly performs penetration tests and vulnerability scans, it can still be exposed to more sophisticated attacks such as where social engineering and internal network weaknesses are chained together. This is where Red Teaming comes in. It assesses an organisation’s environment as a whole, understanding how all parts function together. It then applies critical thinking to discover new vulnerabilities that attackers can exploit, helping the organisation to assess its response to real-world attacks.
Compared to the standard penetration test, which lasts several days or weeks, Red Team assessments generally take much longer, in some cases several months to complete. Due to its complex nature, it is a rather rare operation, typically performed by larger organisations or by government contractors with well-established security programmes.
Penetration testing is a broad discipline that encompasses different techniques, so it is important to understand the relative risks that your organisation is facing in order to choose the most appropriate type. Once you have decided on the kind of penetration test you want to conduct, the next logical step is to choose the right company for your project; if you need help getting started, we have written a helpful guide on how to choose the right pentesting company.
If you are still unsure what type of testing is appropriate for your organisation, you can reach out to our team of experienced penetration testers, who will be able to help you. Here at Intruder, we offer a variety of penetration testing services as well as continuous vulnerability scanning. To enquire about Intruder’s penetration testing services, please feel free to get in touch, or get started with a free trial today.
Thanks to Daniel Thatcher