A penetration test is a simulated cyber attack against your nonmalicious computer system to check for exploitable vulnerabilities. It’s a series of targeted nonmalicious attacks, intended to breach your cybersecurity defenses. The difference between a pentest and a real attack, however, is that penetration tests are conducted by ethical security professionals, who keep any extracted data private and ultimately help you improve your security posture.
We simulate an external attacker attempting to exploit your internet-facing networks and applications to help you identify exploitable vulnerabilities and weaknesses in your perimeter that leave you exposed.
Penetration Testing vs. Vulnerability Assessments
The main difference between a penetration test and vulnerability assessment is that while both start with an initial scan and investigation of identified vulnerabilities, attack vectors such as social engineering, external/ internal network services, web application, etc. are not performed during a vulnerability assessment.
Think of vulnerability assessments and penetration tests as equally important investments in a holistic cyber security initiative. A pentest, however, takes longer and is a more extensive investigation.
To learn more about what sets them apart, read our blog Penetration Testing vs. Vulnerability Assessments: The Key Differences.
The 6 Types of Pentests
When a company says they’ll perform a pentest, it’s important to find out what kind of penetration test they’re offering.
There are six core types:
- External Network
- Internal Network
- Social Engineering
- Web/Mobile Application
If a bad actor finds one shut door, it’s not to say they can’t find another that’s open. With this in mind, a savvy cyber security team should pursue all of these testing vectors, careful to take a rounded approach. This “combination of attack vectors” approach is often referred to as Red Teaming.
Learn more about the 6 Types of Pentesting before screening any companies for the job.
The 4 Phases of Pentests
No matter the type of penetration test, there are usually four phases, all which deserve equal attention:
While it’s easy to assume performing the attacks is all that matters, the success of any compromise often depends on what happens before and after the actual exploit.
Social engineering attacks often work because the hacker builds a relationship and trust with the victim before planting the bait, meaning a lot of strategizing and slow-nurturing occurs before the malware-infected link is sent or the bad actor asks the recipient to perform a task.
What happens post-attack matters just as much. According to M-Trends, the median number of days an adversary will sit inside a network undetected is an incredible 146 days. What could a hacker find out about your company or do with 146 days of access to your internal network?
Read more about the 4 Phases of Penetration Testing here.
The Pentesting Report
Once the cybersecurity professionals breach your systems, they’ll compile their findings into a comprehensive report. This report will breakdown what happened throughout the attack and offer recommendations for mitigating the risks. It often includes an executive summary as well, translating tech talk into an easily understood language for your C-Suite.
Explore what’s included in a pentesting report here.
Beyond the Compliance Checkbox
There are many reasons why a professional pentest is a wise investment beyond compliance regulations. Discover why penetration is more important than ever in 2020.
Then, read through these 7 Real-World Findings from Penetration Tests to start making changes to security. Continue learning by downloading our free 5-½ Easy Steps to Avoid Cyber Attacks ebook.