What is Penetration Testing?

Penetration testing (also known as “pen” testing) is what happens when a business hires an ethical hacker to find and exploit their cybersecurity vulnerabilities. 

Much like running an office fire drill, penetration testing provides a heads-up about potential issues, so you can figure out a way to address problems before the real thing happens. 

 Curious whether this might be a good idea for your organization? This article helps you understand precisely what pen testing is and isn’t, types of testing, and potential pitfalls. 

TL;DR: Penetration testing is when you hire an ethical hacker to hack your business and see how much damage they could cause. It’s a weird idea, but it can really help you see how a hacker would approach your systems. Contact Interplay to learn more.  

What Is Penetration Testing? 

Take a moment to think about all the computers and devices your organization uses, all the local and cloud applications you run on each of those devices, all the peripherals attached to your network like printers and scanners and phones, and all the background network equipment you have like servers and routers and switches.

Has your brain started to hurt yet? 

When you start to dive into the complexity behind IT systems, it quickly becomes clear that even the smallest in-office setups are sprawling hulks of interconnected systems. They have a lot of “unknown unknowns.” 

Penetration testing, the practice of hiring an ethical hacker to break into your systems, brings those unknown unknowns to light so you can fix them. 

The idea of hiring a hacker to break into your systems may sound foolhardy (and sometimes it is, if you hire the wrong one). However, much like hiring a thief to break into your bank vault, watching what the intruder does and how they try to circumvent your systems can provide you with a lot of great ideas on how to better secure your data and equipment. 

What Penetration Testing ISN’T

We’ve all heard news stories about friendly hackers who reach out to people or businesses to point out security flaws that need to be fixed. A recent example of this was when a reporter discovered an online flaw that exposed school employees’ Social Security Numbers to the public. The newspaper reached out and told the state’s Department of Elementary and Secondary Education about the flaw, and the state repaired it. 

This is NOT an example of penetration testing. 

Although this situation identified a cybersecurity flaw in a no-consequence environment that the state could repair before a cyberattack happened, the state did not hire the reporter to find that flaw, so it was not an example of penetration testing. 

Remember: if someone reaches out to your company and says they’ve found a flaw with your cybersecurity, this is NOT an example of penetration testing. (Don’t scoff. Strangely, this is a relatively common event. If they contact you, please contact your Managed Services Provider before doing anything… just in case.)

Another example of something that is NOT penetration testing is a Network Vulnerability Scan. Though a scan is a great first line of defense that can give you the 10,000-foot view of all the potential issues with your systems, it isn’t an actively simulated attack like penetration testing. 

Types of Penetration Testing

Now that we’ve got that covered, we can talk about the types of penetration testing. 

In general, there are three main types of testing available: 

• Black box testing – In black box testing, the test is run as realistically as possible. The only information the hacker receives in advance is the name of the company (and maybe a specific, agreed-upon target). 
• Gray box testing – In gray box testing, the hacker is given limited access to see how easily they can get to high-value data or technology that’s supposed to be hard to reach. 
• White box testing – In white box testing, the hacker is given full credentials as if they were an employee, so they can test how much damage a disgruntled employee could inflict.

Sometimes the IT team knows about the test in advance – sometimes they are given no advance notice. In cases where they have no advance notice, the penetration testing exercise can also analyze IT’s response to the issue in real time. 

A hacker may also try to find the vulnerabilities in multiple systems. They may test your: 

• Network infrastructure – firewalls, segmentation, endpoint protection, network traffic interception, legacy applications, unpatched apps, etc. 
• Wireless networks – assess security on devices that may be used on open or unsecured networks. 
• Physical security – see how easily they can get onto your premises, perhaps by posing as a delivery person. 
• Web security – assess external, public-facing online assets (like web forms) to see how much can be accessed remotely. 
• “Phish”ability – see how vulnerable your staff is to phishing attacks, business email compromise, or other social engineering schemes. 

The Pros and Cons of Pen Testing

While penetration testing can be extremely beneficial to a company, there can be some drawbacks. 

• Pros include the advance knowledge about a system vulnerability, so you can fix it before it becomes a liability. 
• Cons include the potential for a hacker to keep the information they find, or for bugs and flaws to corrupt your data because the hacker will be using real cybercriminal tools to break into your network. The other big con is the cost – hiring an ethical hacker is pricy. 

If you’re interested in running a penetration test for your organization, you can avoid these flaws by limiting what tools a hacker can use, or what systems they’re allowed to go after. You can cut down on the cost by deploying AI to simulate a real penetration test instead of hiring a real-live hacker. 

Want to Know More? 

Here at Interplay, we’re always happy to answer all your questions about cybersecurity. If you’d like to learn more about penetration testing and how it works (and whether it’s worth it for your business), all you have to do is reach out. 

Get Answers from Interplay

For 20+ years, the friendly and knowledgeable team at Interplay in Seattle has helped business leaders across a range of industries get more out of their tech, stress free. Not only are we always (and we mean always) happy to offer the best managed IT services, support, and advice, we’re also the team you can trust for the best cocktail recommendations here in Seattle or in Disney World – we’re versatile! All humor aside though, we’d love to help you get your IT running smoothly and securely, around the clock.