Penetration Testing - A simulated cyber attack

Definition, phases & benefits
Penetration testing, cyber security

June 2023

Penetration Testing - A simulated cyber attack

Posted at 10: 00h software delivery by
Many companies check their software security through so-called penetration testing. But not every company knows exactly what this is and what advantages this test offers. In the following I will explain “penetration testing” to you in more detail.

What is a penetration test?

A penetration test, also known as a "pen test", is a simulated cyber attack on software or infrastructure within a company, for example, to find security gaps or circumvent protective measures. It uses the same tools that a black hat hacker would use. The difference is that pen testers help the company find vulnerabilities and don't exploit them. At the end of a pen test, the pen testing team provides the company with a list of all the vulnerabilities found. The company then takes care of eliminating the gaps itself.

What types of penetration tests are there?

There are a total of 10 different types of penetration tests, which are assigned to two overarching categories: hardware/software tests and social engineering tests.

The hardware/software tests attempt to find security gaps in systems (e.g. web applications or IoT devices), while social engineering tests focus on the company's employees, from whom sensitive information such as passwords or secret documents is to be extracted.

What are the phases of a penetration test?

There are 5 phases in a penetration test: reconnaissance, scanning, vulnerability
Assessment, exploitation and reporting.

1. Reconnaissance (reconnaissance):

In this phase, information about the target to be attacked is collected. Data is collected about the network, the operating system, the applications and the user accounts.
A distinction is made between active and passive reconnaissance. Passive means that the information obtained is obtained from publicly accessible sources. Active, on the other hand, means that the target system is addressed directly by the pen tester.

2. Scanning:

When scanning a target system, the network traffic is scanned and all open ports are identified. Hackers can use these ports to launch specific attacks on a system.

3. Vulnerability Assessment:

In phase three, the information from phases one and two is used to find vulnerabilities in the tested system.

4. Exploitation:

Attempts are now being made to exploit the vulnerabilities found in order to gain access to the target system.

5. Reporting:

The final phase is creating a document listing all the problems and vulnerabilities found. With this document, the company can fix the vulnerabilities found after the penetration test.

Advantages of a penetration test

Vulnerabilities in applications or infrastructure can be very dangerous and expensive. By conducting a penetration test, errors can be detected and quickly corrected. This makes it less easy for hackers to steal user data from the company. In addition, developers and administrators can be made aware of certain scenarios.

Summary

All in all, it is always an advantage if a system is checked for security gaps at regular intervals in order to ensure the security and availability of the system in the long term.
Sven Hilsman

Author

Sven Hillsman
Advanced Software Developer & Security Expert

Tags: