Knowing the distinctions between them is essential for anyone responsible for protecting an organisation, because they are used in different circumstances to achieve different goals.
You don’t want to call for an ethical hacker when you want a penetration tester or vice versa, because you’ll end up with a service that doesn’t meet your requirements.
Let’s take a look at what each process involves and how you can decide which one is right for you.
What is penetration testing?
Penetration testing is a type of security test in which an organisation hires a certified professional to assess the strength of its cyber security defences.
These are usually performed via on-site audits of the organisation in question. The penetration tester will be given access to a certain amount of privileged information and attempt to use it until they find some sensitive information.
Different types of penetration tests focus on specific aspects of an organisation’s logical perimeter. These include:
- External network tests, which look for vulnerabilities and security issues in an organisation’s servers, hosts, devices and network services.
- Internal network tests, which assess the damage an attacker could do when they gain access to an organisation’s internal systems.
- Web application tests, which look for insecure development practices in the design, coding and publishing of software or a website.
- Wireless network tests, which assess vulnerabilities in wireless systems, including Wi-Fi, rogue access points to weak encryption algorithm.
- Phishing penetration tests, which assesses employees’ susceptibility to scam emails.
Whatever type of penetration test you conduct, they are typically carried out at regular, set times – typically quarterly or whenever the organisation makes major changes to its networks or applications.
Assured security with IT Governance
You can learn more about penetration testing and ethical hacking by downloading Assured Security – Getting cyber secure with penetration testing.
This free green paper explains in more detail how penetration testing works, the vulnerabilities you should be concerned about and the different types of penetration test you can use to detect them.
What is ethical hacking?
The goal of ethical hacking – like criminal hacking – is to find security vulnerabilities in an organisation’s systems. However, as the word ‘ethical’ suggests, the person conducting the attack must have the organisation’s approval before proceeding.
Why would an organisation ask someone to hack them? Simple: they understand that one of the best ways to identify the flaws that a cyber criminal might exploit is to think like a cyber criminal themselves.
Ethical hackers are often hired before a new system or major updates goes live. They test the systems, looking for weaknesses that they can exploit and keeping notes of their findings.
Similarly, organisations can call on ethical hackers as part of a ‘bug bounty’ scheme. These offer financial rewards to people who provide evidence of an exploitable flaw in the organisation’s systems.
Bug bounties aren’t simply a way of helping organisations identify weaknesses, though. They also incentivise recreational hackers to stay on the right side of the law.
Whether they’re being offered a bounty or not, many hackers will probe organisations’ systems in their spare time because they enjoy the challenge. But once they make a breakthrough, they might find it tempting to use their discovery for criminal gain – moving from ‘white-hat’ hacker to ‘black-hat’.
Offering them a reward for sharing their findings means it’s not simply a case of money vs ethics.
Which one is right for you?
At various times, ethical hacking and penetration tests will be the right solution for you, as both help you achieve essential cyber security objectives.
Ethical hacking gives you a thorough assessment of your security practices and, in the case of bug bounties, can help you spot weaknesses in systems that are already live.
Its approach to cyber security is far more diverse than penetration testing. Whereas penetration testing focuses primarily on system weaknesses, ethical hacking gives actors the freedom to use whatever attack methods they have at their disposal.
They can exploit system misconfigurations, send phishing emails, conduct brute-force password attacks, breach the physical perimeter or do anything else that they believe will give them access to sensitive information.
This is extremely helpful for identifying exactly how vulnerable your organisation is to cyber threats, because crooks are increasingly mixing up their techniques and conducting multi-layered, sophisticated attacks.
Of course, it’s often simply not feasible to go to such lengths every time you want to test the security of your system.
Penetration testing enables you to perform focused tests on specific parts of your organisation. The results are extremely useful for identifying system flaws – the extent of which can often only be identified through testing – and highlighting the steps that need to be taken to address them.
The benefits of this are self-evident, which is why so many data protection laws and frameworks – such the GDPR (General Data Protection Regulation) and the PCI DSS (Payment Card Industry Data Security Standard) – mandate that penetration tests be conducted regularly.
Professional testing with IT Governance
If you’re looking for ethical hacking or penetration testing support, we are here to help.
We have a variety of fixed-price testing packages that are suitable for any organisation that wants to identify the exploitable weaknesses targeted by cyber attackers.
One the test is completed, we’ll provide a report that outlines your top priorities and explains the steps you can take to better protect your organisation.
A version of this blog was originally published on 4 February 2020.