What is Penetration Testing?

The Ultimate Challenge


In a wave of large-scale cybersecurity breaches, many firms are looking for better strategies to manage cybersecurity risks. One highly effective exercise is the PenTest.

In this article, we break down the various kinds of Penetration Tests and how to select between them.

What is a Penetration Test?
Penetration testing is a simulated attack on your network, orchestrated by a certified security engineer or group of security engineers to attempt to compromise your network and digital assets. Assets generally include sensitive information the company needs to protect, such as credit card information and user data. Of course, experts are trained so as not to cause any damage or delete any data during the exercise. The goal is to expose flaws and breaches in order to demonstrate how much data could be stolen, or how your infrastructure and security team would cope with a real-life attack.

What kinds of Penetration Tests are there?
External
External penetration testing is the attempt to compromise your assets from outside your perimeter network. In order to protect yourself from outside threats, Silent Breach tests all internet-facing components (websites, email servers, DNS servers, and so on) for potential security gaps that would allow an attacker to breach the system and gather or damage sensitive data.

Internal
In excess of two thirds of computer intrusions originate from within the company. Internal attacks can have a disproportionately large impact on a business and its processes given the nature of internal trust relationships. Inside information gives an attacker an important edge in stealing sensitive information or bringing down critical services of the company.

Black Box
Black box testing refers to testing a system without any prior knowledge of the target. All information is gathered from either public sources, or through a specific assessment of the client's infrastructure. Black box testing is usually preferred to simulate real life attacks from external hackers.

White Box
White box testing refers to testing a system with shared knowledge of the system, in full collaboration with the client and their technical staff. White box testing is usually preferred when simulating internal attacks, where employee might exploit well-known flaws in the system.

Grey Box
Unsurprisingly, grey box testing is a combination of black and white box testing, meaning that we will conduct penetration testing with a limited amount of information on the target(s). This is usually preferred for cost efficiency reasons, to save time in the gathering of information required during black box testing, which can be very time consuming (and costly).

Which Penetration Test is best for me?
There are many factors to consider when choosing the test. The first thing to determine is the scope of the test. If you're an SMB, for example, you'll have a far smaller attack surface than a large multinational. Smaller surface translates to a shorter test. Furthermore, as a small firm, your main threats will come from social attacks (like phishing) perhaps attached to an external black or grey box approach. These are easily customizable and cheap for hackers to run, and allow them to target a large group of SMBs at one shot.

Another factor to consider is cost. Quality Penetration Tests don't come cheap, so you'll have to determine your available budget beforehand. For those with a large security budget, running separate black and white box attacks will be the most comprehensive, but grey box tests will usually be the most economical.

Finally, it's important to consider the objective of the test. Are you performing a basic sanity test or are you trying to satisfy certain industry regulations? Companies working in finance or healthcare, for example, may be legally forced to choose a particular Penetration Test.

If you'd like help determining the appropriate Penetration Test for your company, contact Silent Breach for your free same-day consultation.


About Silent Breach: Silent Breach is an award-winning provider of cyber security services. Our global team provides cutting-edge insights and expertise across the Data Center, Enterprise, SME, Retail, Government, Finance, Education, Automotive, Hospitality, Healthcare and IoT industries.