A penetration test, also known as a "pen test," is a simulated cyber attack on a computer system, network, or web application to evaluate the security of the system. The goal of a penetration test is to identify vulnerabilities or misconfigurations that an attacker could exploit and to determine the effectiveness of the organization's security controls. This is done by simulating various types of attacks and attempting to gain unauthorized access to sensitive information or systems. The results of a penetration test can be used to improve the overall security of the organization.
Penetration testing is used for assessing:
- Vulnerabilities in systems, networks, and web applications that could be exploited by an attacker
- The effectiveness of security controls such as firewalls, intrusion detection systems, and antivirus software
- The ability of an attacker to gain unauthorized access to sensitive information or systems
- The ability of an attacker to escalate privileges and move laterally within a network
- The ability of an organization to detect and respond to a simulated cyber attack
- The overall security posture of the organization
The penetration exercise is very labor intensive and requires specialized skills to minimize risks to targeted systems. While creating a Denial of Service scnario is normally out of scope for a penetration test engagement, there is always a risk that systems may be damaged or rendered unavailable during the course of the penetration test. Therefore, penetration testing should only be performed by skilled professionals and with adequate planning.
True and complete risk based penetration testing processes may include non-technical attack methods, and may be conducted with full, little, or no knowledge of the target. Last, if internal and external testing is to be performed, the external testing usually occurs first.
Penetration Testing Phases
The Baker Business Center has adopted the NIST standard 800-15 (Guide to Penetration Testing) which describes a standard methodology for conducting penetration tests that includes the following phases: