What is Penetration Testing – Finding Vulnerabilities Before the Bad Guys Do (appTECH TALK Ep. 2)

If you are an organization with digital assets to protect, you’ve most likely heard the term Penetration Testing, also known as Pen Testing.  Penetration testing is the process used to find vulnerabilities and leverage them to hack an organization.

Isn’t Hacking Bad?

It certainly can be.  However, professional penetration testers are ethical hackers.  They follow a set of industry-standard guidelines.  These are the good guys that are trained to think like an attacker and simulate how a real-world attack can affect an organization.

What types of Penetration Testing are there?

There are three types of penetration tests that we are going to focus on.  These include External, Internal, and Web Application penetration testing.  What type should your organization pursue?  Well, it depends.  I will explain each one in detail.

External Penetration Testing

External penetration testing is really where an organization should start.  When the term “external” is used, it is referring to any digital asset sitting on the outside, or external interface, of the firewall.  With over 50 billion devices connected to the internet, many of them sit outside of firewalls.  When services sit outside the firewall, they can potentially be accessed from anywhere in the world.  It is important to ensure that only required systems and services sit outside the firewall.  Along with limiting systems, proper patching must be kept up to date.  Default usernames and passwords on any device should be changed.  An ethical hacker that is performing a penetration test will look for vulnerabilities that could allow someone to gain unauthorized access.  After gaining access, the tester will then perform techniques to “pivot” to other portions of the network.  Sometimes this will allow the attacker to gain access to the inside of the firewall if proper controls aren’t in place.  If a choice must be made due to company budget, the external penetration test is typically the place to start.

Internal Penetration Testing

Unfortunately, Internal penetration testing is often overlooked.  This is because of the misconception that anything inside of the firewall is safe.  This isn’t the case.  Eighty-five percent of the cybersecurity breaches that happened in 2021 involved the human element.  For example, phishing attacks that happen inside the network have been a big reason for ransomware.  Ransomware usually involves a user clicking a malicious link.  When this happens, this can allow an attacker to gain access directly to that computer that is inside of the firewall.  From there, an attacker can pivot to other portions of the network.  Many attackers can reside on the network, inside the firewall, for months before detection.  A penetration tester will test the network inside the firewall to see what vulnerabilities exist on the inside of a network.  For example, if a user in the marketing department clicked a phishing link and allowed an attacker to gain access, would the attacker be able to pivot to the accounting department?  Controls like these are often tested in an internal penetration test.

Web Application Penetration Testing

It’s this simple.  If your company or organization has a website, you have a web application.  Web application penetration testing is the process of testing the web application (website) to find vulnerabilities.  The tester then uses these vulnerabilities to gain access to the back end of the web application to possibly access another account.  Escalating privileges on the web application may allow an attacker to change administrative settings, re-route pages, steal credit cards, change prices on a website, or even access proprietary information.  A web application penetration test is typically performed against the OWASP guidelines.  OWASP is an organization that has produced industry-standard guidelines used for penetration testing.  This ensures that proper techniques are used to find potential vulnerabilities within a web application.

In summary, a penetration test should occur yearly at a minimum.  It is extremely rare that a penetration test has no findings.  Teams should be prepared to mitigate and fix vulnerabilities soon after they are reported.  If this is completed on a consistent basis it will ensure that your organization is performing it’s due diligence on securing your assets.

To learn more about what to do with penetration testing results, check out our blog on Penetration Testing Remediation.

Mike Miller is a cybersecurity professional with 25 years of experience through the IT industry.  He has focused on security, specializing in the areas of Virtual Chief Information Security Officer services, Governance, Risk, and Compliance, PCI, SOC, Intrusion Detection, Penetration Testing, and Incident Response.  In 2011, Mike founded Cyber Protection Group, which was acquired by Appalachia in 2022.  Mike is passionate about mentoring and assisting aspiring cybersecurity professionals and can be found regularly sharing insight on his LinkedIn profile.  When he isn’t fighting cyber crime, Mike loves spending time with his wife and kids, often boating in the Ozarks.