Penetration testing, or pen testing, is essentially hiring a security expert to ethically hack into your organization’s network and tell you what vulnerabilities exist, how an attacker may use them against you, and what the level of risk associated with those vulnerabilities is. Penetration test is commonly shortened to pen test, and the two can be used interchangeably. The specifics behind a pen test may vary depending on several factors. Let’s look at a few different variations of a pen test.
Red vs. Blue vs. Purple
The first determining factor as to what a pen test will look like is whether it is a red team engagement. In a red team engagement, an ethical hacker is trying to break into your network with your network defenses in place and your response team acting accordingly. Check out this blog for the advantages and disadvantages of this type of test. To summarize, this is a great way to understand your real level of risk, but may fall short of giving you a comprehensive understanding of all risks and associated vulnerabilities. Therefore, it is recommended for clients after they reach a certain level of security maturity.
A typical pen test is more cooperative in nature, taking on elements of a purple team where the attackers and defenders are working together. While a true purple team engagement generally involves the red team and blue team (defenders) actively working together to launch and subsequently detect/block typical attacks, the collaboration that happens during a pen test isn’t quite as involved. Usually, you will turn off the things that will actively block our IP addresses and put any security controls into detect-only mode. This allows the test team to check every window and knock on every door to identify vulnerabilities, which is generally pretty “loud”, but the best way to understand whether there is a door that is unlocked in a limited time period.
External vs. Internal vs. Wireless vs. Social Engineering vs. Physical Pen Test
There are many variations of pen test, and the type of test will ultimately determine where the test team starts and what their primary objective is. For example, in an external pen test a tester will start from the Internet and try to break in to applications/hosts/networks. But on an internal pen test, they start on the internal network, emulating the risk of an attacker who has already gain access or an insider threat. For a full list and explanation of the different flavors of penetration test, check out this blog.
In summary, a penetration test is a security assessment designed to emulate the threats your organization faces. The specifics of the test will vary according to the level of cooperation between your team and ours, and the type of test you are interested in achieving. Triaxiom is a CREST-accredited penetration testing provider and we would be happy to discuss your needs when it comes to penetration testing. Contact us for more info.