A penetration test (or, shortly, pentest) entails deploying an attack on a computer system in a controlled environment with the sole intention of uncovering security weaknesses and exploiting them safely to potentially gaining access to the system, its functionality, and data.
The process involves identifying the target systems and the goal, then reviewing the accessible information and undertaking available means to attain the goal.
A penetration test target comes in various formats:
- white box – where all background and system information is provided
- black box – where only basic or no information is provided, except the company name
- grey box – where white box & black box tests are conducted.
A penetration test can help determine whether a system is vulnerable to attack, if the defenses were sufficient, and which defenses (if any) were defeated in the penetration test.
Security issues uncovered through the penetration test are reported to the system’s owner.
Penetration test reports may also assess the potential impacts to the organization and suggest countermeasures to reduce risks.
Penetration tests are valuable for several reasons:
- Determining the feasibility of a particular set of attack vectors
- Identifying higher-risk vulnerabilities that result from a combination of lower-risk vulnerabilities exploited in a particular sequence
- Identifying vulnerabilities that may be difficult or impossible to detect with automated network or application vulnerability scanning software
- Assessing the magnitude of potential business and operational impacts of successful attacks
- Testing the ability of network defenders to successfully detect and respond to the attacks
- Providing evidence to support increased investments in security personnel and technology.