Penetration testing is a skilful and sophisticated “white hat” attempt to evaluate the security of a company’s entire network by safely attempting to exploit system vulnerabilities. Such assessments are useful in validating the efficacy of organisational security measures and adherence to security policies.
Security is a process – not a product that can be bought and configured. It is essential that a company’s security posture is validated using a rigorous process of testing and feedback. This ensures that routine changes to applications and the threat landscape can be accounted for.
Penetration testing services are typically performed using manual or automated technologies to systematically compromise servers, endpoints, web applications, wireless networks, network devices, mobile devices and other potential points of exposure.
Penetration Testing Strategies
Targeted Penetration Testing
Targeted testing is performed by the organisation’s IT team and the penetration testing team working together. It’s sometimes referred to as a “lights-turned-on” approach because everyone can see the test being carried out.
External Penetration Testing
This type of penetration test targets a company’s externally visible servers or devices including domain name servers (DNS), e-mail servers, Web servers or firewalls. The objective is to find out if an outside attacker can get in and how far they can get in once they’ve gained access.
Internal Penetration Testing
This test mimics an inside attack behind the firewall by an authorized user with standard access privileges. This kind of test is useful for estimating how much damage a disgruntled employee could cause.
Blind Penetration Testing
A blind penetration test strategy simulates the actions and procedures of a real attacker by severely limiting the information given to the person or team that’s performing the test beforehand. Typically, they may only be given the name of the company. Because this type of penetration test can require a considerable amount of time for reconnaissance, it can be expensive.
Double Blind Penetration Testing
Double blind penetration testing takes the blind test and carries it a step further. In this type of penetration test, only one or two people within the organization might be aware a test is being conducted. Double-blind tests can be useful for testing an organization’s security monitoring and incident identification as well as its response procedures.
Penetration Testing: How It Works
It is helpful to ensure independence between the company providing the security system and the company providing the penetration testing. To this end, activereach has a relationship with a certified penetration testing organisation which extends only to introducing penetration testing specialists to companies where activereach has deployed the security system. This eliminates any conflict of interest between the testing and the security system itself, yet allows a customer to engage a single company to both provide and test their network security.
- Penetration testing is a vital service for all companies with significant data assets to protect
- Penetration tests can be scaled to suit all sizes and types of companies
- activereach uses an independent penetration testing company to provide the service
Read our blog on penetration testing versus DDoS testing to discover why both types of testing are important.