pen testing penetration testing UK guide

Pen testing – UK executive guide

What is penetration testing? 

Penetration testing is an attempt to safely exploit your IT systems to determine whether they’re vulnerable to attack. It includes a series of tests, carried out by a specialist penetration tester, who looks for vulnerabilities in your systems that cyber criminals could exploit.

Why would I want penetration testing?

  • Ensure your critical assets/data are secure by identifying vulnerabilities so you can protect your environment from malicious attacks by mitigating critical threats, which reduces the likelihood of a breach 
  • Evidence that your systems have been tested to demonstrate to customers, business partners and stakeholders that it takes security seriously
  • It may help you meet regulatory compliance requirements (like PCI DSS)

What happens during a penetration test?

We start with a scoping call, identifying the boundaries we’re working within. We’ll agree on the requirements and outcomes of the testing, before moving on to testing your systems. Our penetration testers follow a proven methodology with a series of simulated tests to identify any weaknesses in your defences – whether internally or externally. We adhere to an agreed set of rules of engagement before, during and after every penetration test.

Often it is the combination of a series of weaknesses in your systems that allows attacks, rather than a single vulnerability. That’s why our tests combine a series of lower-risk exploits in a particular sequence, to determine whether they would have any effect.

We test against the OWASP top 10 and detail the penetration test findings in a report that includes guidance around the vulnerability, impact, threat and the likelihood of a breach within your organisation. It highlights the potential risks and recommends where additional resources should be applied to protect your systems.

We will provide a comprehensive combined technical and summary report, detailing our findings and any remediation points, and will go through these at the planned debrief within five days of pentest completion.

What does a tester need to know before starting?

Typically, penetration testers will want to know at least the following:

  • The list of targets, in detail
  • What the targets are (Network Infrastructure, Web Application, API, etc.)
  • In the case of a web application or API, a rough approximation to the number of endpoints/pages
  • The sensitivity of the data on the systems in scope
  • Where the systems are situated
  • If there are any third parties (web hosts, managed service providers)
  • Who these third parties are, with written permission allowing testing
  • The level of access you would like the testers to have

How often should we pentest?

Penetration testing should be performed on a regular basis. This ensures that you can detect and respond to any newly discovered threats or emerging vulnerabilities that could lead to a system compromise by attackers.

Furthermore, penetration tests should also be carried out whenever:

  • Significant changes to your infrastructure have taken place
  • Additional locations or branch offices are opened
  • You suspect or have fallen victim to an attack

What are the different types of penetration tests?

What is Black Box Testing?

Black box testing, in the context of penetration testing, is a method of vulnerability assessment whereby the tester attacks a target with the same level of knowledge and permissions as a genuine malicious actor might have. Typically, this means the test begins with the tester receiving no information on internal workings, and no credentials or permissions.

While black box testing can offer valuable insight by using the same methodologies that a real attacker might, it is important to understand that the expected result from such a test is unlikely to include details of the potentially-critical vulnerabilities that could be detected during a white box test.

What is White Box testing

Conversely, white box testing involves the provisioning of a tester with the very knowledge and permissions denied from black box testers. This provides the assessor with the ability to probe the target for vulnerabilities present within the application’s core; an area hidden from a black box tester.

Performing this type of testing allows organisations to more accurately understand the risks present in their applications and services by revealing vulnerabilities that are presented only to end users with permissions greater than nil, and real attackers who have managed to crack the outermost layer of security.

Crucially, white box testing is not exclusive of black box testing; meaning a white box assessment includes everything involved with a black box test, but also includes testing of otherwise unreachable areas.

What should I do next?

If you need any help, feel free to contact the team at Securious, the South West’s leading cyber security company. They have provided the content on this site and are passionate about helping businesses and organisations understand and improve their cyber security.

If you have any questions, a member of the team would be more than happy to speak with you – just fill in the contact form below, or get in touch with them on 01392 241110, or info@securious.co.uk

Click here to learn more about our penetration testing services

See all resources