What is penetration testing?

Today, penetration testing is often confused with vulnerability assessments, red team assessments, and other security assessments. However, there are some differences between them, as follows:

• Vulnerability assessment: This is the process of identifying vulnerabilities and risks in systems. In a vulnerability assessment, the vulnerability is not exploited. It merely highlights the risks so that the business can identify the risks and plan for remediation.
• Penetration testing: This is the authorized process of finding and using vulnerabilities to perform an intrusion into a network, application, or host in a predefined time frame. Penetration testing can be conducted by an internal team or an external third party. Penetration testing goes one step further as opposed to a vulnerability assessment, in that a penetration test exploits the vulnerability to ensure it is not a false positive. Penetration testing does not involve anything that is unauthorized or uncoordinated. During a penetration test, some tests might affect business applications and cause downtime. For this reason, awareness at the management and staff levels is often required.
• Red team assessment: This is similar to a penetration test, but it's more targeted. As a penetration test's main aim is to discover multiple vulnerabilities and exploit them, the goal of a red team assessment is to test an organization's response capabilities and act on vulnerabilities that will meet their goals. In a red team assessment, the team will attempt to access information in any way possible and remain as quiet as possible. Stealth is key in a red team assessment. In a red team assessment, the duration of the assessment is much longer than a penetration test.

As you start your penetration testing journey, it's important to understand what penetration testing is. To illustrate what penetration testing is, let's consider a scenario.

You currently own an organization that holds customer data. Within your organization, you have SQL databases, public-facing websites, internet-facing servers, and a sizeable number of users. Your organization is a prime target for a number of attacks, such as SQL injections, social engineering against users, and weak passwords. Should your organization be compromised, there is a risk of customer data being exposed, and more.

In order to reduce your exposure to risks, you need to identify the holes in your current security posture. Penetration testing helps you to identify these holes in a controlled manner before an attacker does. Penetration testing uses real-world attacks that attackers would leverage; the aim is to obtain accurate information as to how deep an attacker could go within your network and how much information the attacker could obtain. The results of a penetration test give organizations an open view of the vulnerabilities and allow them to patch these before an adversary can act on them.

Think of penetration testing as looking through the eyes of an enemy.

As the security maturity of organizations differs, so will the scope of your penetration tests. Some organizations might have really good security mechanisms in place, while others might not. As businesses have policies, business continuity plans, risk assessments, and disaster recovery as integral parts of their overall security, penetration testing needs to be included.