Penetration testing: what is it and what is its purpose?
Penetration testing and vulnerability assessment
Often the term vulnerability scanning or assessment and penetration testing are two phrases used in interchangeable ways. However, there are certain differences in their meaning as well as implications. When we talk about vulnerability assessment, we mean spotting certain vulnerabilities that remain in a system, Swascan offers an advanced Vulnerability Assessment tool that identifies and solves all vulnerabilities of websites and web applications. On the other hand, penetration test is an authorized attack (which is simulated) on a system to test its security.
in collaboration with
The purpose of penetration testing
Penetration testing can be both automated and manual. Despite its method, penetration testing includes several steps such as:
- Reconaissance: collecting pieces of information regarding the target before the test begins;
- The identification of the exploitable entry points;
- The actual or virtual attempt to break in;
- The final report that includes the results of the test that has been run.
Starting from this, we can state that the main goal of a pen test is to clearly identify security weak spots. Other than that, it is possible to list other specific objectives of penetration testing:
- Test the compliance of the security policy;
- Test the awareness of the staff regarding security matters;
- Check if and how an organization can face security disasters.
Different kinds of penetration testing
As far as penetration testing is concerned, there are several ways it can be performed. In the following list, we can go through these methods:
- External Testing: this test has a specific objective: identifying whether an attacker can get in and how deep can the attacker go once he’s in. Which are the targets of such tests? Anything visible on the internet:
- DNS (Domain Name Servers),
- Web applications,…
- Internal testing: an internal test is a simulation of an attack performed by an insider. If an attacker manages to steal an employee’s credentials, he already is behind the firewall and this specific test considers this scenario.
- Targeted testing: this specific test is run from the pentester and the IT staff of the company. These two entities work side by side and this is helpful to the IT staff that can better understand the attacker’s perspective.
- Blind testing: this could be a quite expensive testing methodology. The tester usually has only the company name available as information, anything else is often not provided. This test shows how an actual attack takes place.
- Double Blind testing: this test assumes that the IT staff has no knowledge at all about the upcoming attack. This test fakes a could-be-situation where the IT staff has no time to realize what’s going on.
in collaboration with
In order to assure to your business the best tool available, Swascan developed a special ( Premio Cisco-Marzotto winner ) cybersecurity platform. It is completely in Cloud, Pay per Use and SaaS. You can see for yourself in our brochure: Cybersecurity platform and have an in-depth look at our services. Our three services cover all the governance needs in terms of risk management and periodic assessment. Basically, if you need to understand the areas in which your efforts must focus, Vulnerability Assessment, Network Scan and Code Review are the right tools for you. Last but not least, don’t forget GDPR: our platform is 100% GDPR compliant ( GDPR infographic ).