Penetration Testing is in-depth testing of your network’s security to determine areas where a hacker might be able to breach your system.
In order to understand how Penetration Testing is done, we look at how Hackers operate. Hackers usually follow these steps:
- Gather intel on your system with either manual or automated tools.
- Look over the intel gathered to identify where and how they might get in.
- Hack in, then finally
- Take sensitive information such as emails, financial records, or credit card data, or wreak havoc with an attack. Attacks can include the introduction of a virus or worm, or a Denial of Service (DoS) attack.
Penetration Testing is designed to mimic what Hackers do, without the resultant damage. This enables your organization to “plug the holes” before a Hacker can get in.
There are several tiers of Penetration Testing:
- Automated testing – An advanced automated system is run on your network from outside your organization to identify any obvious points where a breach could occur. This is the fastest and least expensive method of Penetration Testing. If you’ve never had Penetration Testing done before, this is a good first step toward ensuring your company’s security. You can purchase the software that performs these tasks and run them yourself, or have an outside organization do it. The information would then be reviewed by your IT personnel to figure out the best way to proceed in making your network more secure.
- Manual testing, non-invasive – A Tester uses non-invasive tools to gather intel as a hacker would, running the tools manually and tweaking requests to get the most valuable information possible. The tester then prepares a report for your organization. With this type of testing, no attempt is made to hack your network; the tester simply gathers data and looks it over, mimicking the first two steps a Hacker takes.
- Manual testing, invasive, data theft – A Tester gathers intel and uses it to “steal” information. For example, a tester might use the information gathered to get access to your company’s sensitive financial information, but will share this information only with you in order to show that the attack has been done.
- Manual testing, invasive, attack simulation – A Tester gathers intel and uses it to launch a light attack, such as launching a DoS attack that lasts 3 minutes, or introducing a virus that simply displays a message and doesn’t damage your data (and is easily removed).
In all cases, the Tester’s primary goal is to improve your security. The Tester will work with you to work out a plan to prevent attacks.
Contact me for a free consultation on Penetration Testing and help your organization become more secure.