What are the different Types of Penetration Testing?
Equilibrium Security are CREST accredited Penetration Testers.
What is Pen Testing and what is it’s purpose?
A penetration test is a planned attack on a software or hardware system which aims to expose security flaws which may lead to a damaging cyber breach. Each penetration test conducted depends entirely on the scope of operation. For example- the level of intrusion it relates to. In some cases, simply finding the vulnerability is enough. Therefore, it is highly important for CREST security experts to choose the most suitable type of penetration test for their customer (based on an agreed scope).
To combat a hacker you need to think like a hacker. Penetration testing is a type of ‘ethical hacking’ which is performed by ‘white hat hackers’. A pen test is a simulated attack on a business’s internal systems. Penetration tests are an excellent way to help businesses find exploitable vulnerabilities in their network which could allow cyber criminals access to critical assets.
CREST is the not-for-profit industry body representing the technical information security industry. CREST provides internationally recognised accreditation for cyber security service providers and professional certification for individuals providing penetration testing, cyber incident response, threat intelligence services and now Secure Operations Centre services.
Ready to achieve your security goals? We’re at your service.
Whether you are a CISO, an IT Director or a business owner, Equilibrium has the expertise to help you shape and deliver your security strategy.
What is the purpose of a Penetration Test?
The purpose of network Penetration Testing is to closely examine weaknesses in a corporate IT infrastructure. Network pen testing tools can be used to determine the effectiveness of security hardware, software and policies. Essentially it tests whether a hacker would be able to evade your security defences or if your technical controls are working successfully. Once these weak spots are identified, the pen tester can either: provide a report detailing the security holes discovered OR safely exploit the vulnerabilities found within the system in a controlled environment.
What different types of penetration testing are there?
As mentioned previously, there are many different types of penetration tests and not all pen tests are equal. The results of using different penetration tests can vary massively depending on how much information the CREST penetration tester is given prior the assessment. Some of the different penetration tests include: web application pen tests, cloud penetration testing, physical pen testing, external network penetration testing, online website pen testing, network security penetration testing and internal network penetration testing. The benefits of carrying out a range of different penetration tests is that it gives you a clearer view of your security posture. It allows you to evaluate how secure each gateway of your network is and how easy it would be for a hacker to gain access to your systems and sensitive information.
Social Engineering penetration testing
Social engineering pen tests is the practice of attempting to dupe employees into giving out sensitive company information so that a tester can gain access to systems.
Criminal hackers are able to get information in other ways. Many of which involve one of the biggest causes of cyber breaches- human error. Unfortunately, bad actors are able to deceive employees all too often.
Some common techniques include phishing emails and calling impersonating a trusted person internally or a via third party. This commonly is to trick people into giving out passwords, bank details or making payments.
The benefit of a social engineering pen test is that it gives you an invaluable insight into how susceptible your employees are to this kind of attack. If your employees are successfully duped you can offer training to ensure they are no longer the weak link in your security defences.
A wireless penetration test checks the security of every wireless device within the company. This is usually a very detailed and targeted test which can involve a very long list of devices such as tablets, smart phones and laptops.
Wireless pen test methodology involves:
- Identifying all Wi-Fi networks as well as wireless fingerprinting and signal leakage
- Discovering encryption weaknesses such as session hijacking and wireless sniffing
- Identifying ways which hackers may be able to penetrate a system using wireless or evading WLAN access control
- Identifying credentials and users profiles to access private networks
- Wireless pen tests find vulnerabilities affecting wireless protocols, access point wireless and admin credentials.
A network penetration test is one of the most common pen test methods. The aim of a network pen test is to identify damaging vulnerabilities within a network infrastructure. As many networks have both external and internal access points, it is common practice to carry out tests on site and remotely. The benefit of network security and penetration testing is that it can discover critical flaws in your network security systems. Leaving these vulnerabilities unpatched could lead to a catastrophic breach.
A network penetration test assesses security gaps in devices and network services. This usually includes:
- Identifying internet-facing critical assets a cyber-criminal could exploit to gain entry into your network
- Testing the effectiveness of firewalls in place
- Assessing whether unauthorised users can gain access to your systems through an external network.
CREST pen testers would target the following network areas:
Firewall configuration testing.
Stateful analysis testing.
Firewall bypass testing.
DNS level attacks
Zone transfer testing.
Our Penetration Testing Process
Before testing commences, our experts will take time to understand your pen testing requirement in more detail, define the testing scope and gather the necessary technical information and access required to carry out the test.
Using a variety of pen testing tools our qualified penetration testers will manually assess your systems to identify security weaknesses/vulnerabilities which require patching and remediation.
In this phase we will interpret the results, and (if permitted and approved) exploit any vulnerabilities discovered. This will determine whether a hacker could use the vulnerability as leverage to gain wider access to your systems. However, many customers prefer to patch and remediate, rather than risking the potential service disruption that exploitation could cause.
Our experts will analyse the results and present the finding in a comprehensive penetration testing report. This will detail and categorise the vulnerabilities discovered ranked as either ‘Critical, High, Medium, or Low’, as well as outline instructions of how to remediate, patch and strengthen your defences.
After remediation, we can retest your systems to check that all patches have been applied and security holes have been mitigated.
How can we help?
Here at Equilibrium, we are CREST certified penetration testers. CREST penetration testing certifications demonstrate that a company follows a stringent and industry approved penetration testing methodology. In order to achieve this certification, you must undertake a series of rigorous and detailed exams. As security and penetration testing experts, we are able to support our customers with all penetration testing requirements.