Penetration Testing: What Is It & Why Is Pentesting Required?

Penetration testing is a form of ethical hacking. When the process is complete, you'll identify weak spots in your plans. Reporting helps you patch them before true hackers find them first. 

What Is Penetration Testing?

At the end of a successful hack, you'll know so much about your company's security system. You'll see where the gaps are, you'll understand how employees helped or harmed the effort, and you'll know how long it took you to spot the problem. 

But at the end of a hack, you lost something. You may have been forced to pay a ransom to wrest control away from the hacker. And you may have lost the trust of customers too. 

What if you could learn while losing nothing? 

At one point, pentesting was the province of highly regulated industries. If you worked for a government agency, a utility, or a financial institution, you ran pretesting to comply with regulations. But now, plenty of companies run tests like this, as the threat of cyber attacks touches almost all market sectors.

 

Penetration Testing

Pentesting Stages 

A hacker can jump into action with almost no preparation or planning. Pentesting is different. Projects should move through a predictable series of steps, with plenty of collaboration and conversation along the way. 

The PCI Security Standards Council recognizes three critical pentesting stages:

  1. Pre-engagement 
  2. Engagement 
  3. Post-engagement

We'll walk through them one by one. 

Pre-Engagement

Whether you're using an in-house team or hiring a consultant, you must have a conversation before the work begins. You'll discuss:

  • The scope. What components should be included in the test? 
  • Documentation. How will the work be recorded for future study?
  • Rules. When should the work start and stop? How far should the hacker dig before stopping? Will sensitive data be shown?

Your conversation can be short or long, depending on all of the aspects you need to cover. Ensure someone takes detailed notes, as you'll refer to this agreement as the project moves forward.

Engagement

At this stage, your team begins to dig into the details of your system and look for vulnerabilities. 

As experts explain, a pentest isn't exhaustive. You may have vulnerabilities that just don't come up during the process. But your hacking team should work hard here to break through your defenses. The goal is to determine just how far a hacker can get into your servers without your detection. 

A pentesting team typically looks over:

  • Application layers.
  • Network layers.
  • Segmentation.

If sensitive data is exposed, the team should notify you immediately. And anything that the team ruins or changes during the test should be cleaned up when the work is done.

Post-Engagement

At the end of a test, you should have a report ready for deep analysis. Use that as feedback to help guide changes in your security systems. 

The feedback you get should be about exploited vulnerabilities. In other words, it's not helpful to get reports about the clever or interesting things the hacker found out about your systems. Everything in the report should be both applicable and usable. 

Common Attack Vectors in a Pen Test 

Your hacking team could poke at almost any part of your security system as the work unfolds. But the EC-Council suggests that most focus on just seven different attack vectors

  1. Cross-site scripting: A hacker impersonates a user to test the security of a web-based application. 
  2. Brute-force attack: A hacker tries hundreds or