The terms ‘penetration testing’ and ‘ethical hacking’ are often used interchangeably when referring to internal cyber security tests, but they’re not exactly the same.
Knowing the distinctions between them is essential for anyone responsible for protecting an organisation, because they are used in different circumstances to achieve different goals.
You don’t want to call for an ethical hacker when you want a penetration tester or vice versa, because you’ll end up with a service that doesn’t meet your requirements.
Let’s take a look at what each process involves and how you can decide which one is right for you.
What is penetration testing?
Penetration testing is a type of security test in which an organisation hires a certified professional to assess the strength of its cyber security defences.
These are usually performed via on-site audits of the organisation in question. The penetration tester will be given access to a certain amount of privileged information and attempt to use it until they find some sensitive information.
Different types of penetration tests focus on specific aspects of an organisation’s logical perimeter. These include:
- External network tests, which look for vulnerabilities and security issues in an organisation’s servers, hosts, devices and network services.
- Internal network tests, which assess the damage an attacker could do when they gain access to an organisation’s internal systems.
- Web application tests, which look for insecure development practices in the design, coding and publishing of software or a website.
- Wireless network tests, which assess vulnerabilities in wireless systems, including Wi-Fi, rogue access points to weak encryption algorithm.
- Phishing penetration tests, which assesses employees’ susceptibility to scam emails.
Whatever type of penetration test you conduct, they are typically carried out at regular, set times – typically quarterly or whenever the organisation makes major changes to its networks or applications.
Assured security with IT Governance
You can learn more about penetration testing and ethical hacking by downloading Assured Security – Getting cyber secure with penetration testing.
This free green paper explains in more detail how penetration testing works, the vulnerabilities you should be concerned about and the different types of penetration test you can use to detect them.
What is ethical hacking?
The goal of ethical hacking – like criminal hacking – is to find security vulnerabilities in an organisation’s systems. However, as the word ‘ethical’ suggests, the person conducting the attack must have the organisation’s approval before proceeding.
Why would an organisation ask someone to hack them? Simple: they understand that one of the best ways to identify the flaws that a cyber criminal might exploit is to think like a cyber criminal themselves.
Ethical hackers are often hired before a new system or major updates goes live. They test the systems, looking for weaknesses that they can exploit and keeping notes of their findings.
Similarly, organisations can call on ethical hackers as part of a ‘bug bounty’ scheme. These offer financial rewards to people who provide evidence of an exploitable flaw in the organisation’s systems.
Bug bounties aren’t simply a way of helping organisations identify weaknesses, though. They also incentivise recreational hackers to stay on the right side of the law.
Whether they’re being offered a bounty or not, many hackers will probe organisations’ systems in their spare time because they enjoy the challenge. But once they make a breakthrough, they might find it tempting to use their discovery for criminal gain – moving from ‘white-hat’ hacker to ‘black-hat’.
Offering them a reward for sharing their findings means it’s not simply a case of money vs ethics.
Which one is right for you?
At various times, ethical hacking and penetration tests will be the right solution for you, as both help you achieve essential cyber security objectives.
Ethical hacking gives you a thorough assessment of your security practices and, in the case of bug bounties, can help you spot weaknesses in systems that are already live.
Its approach to cyber security is far more diverse than penetration testing. Whereas penetration testing focuses primarily on system weaknesses, ethical hacking gives actors the freedom to use whatever attack methods they have at their disposal.
They can exploit system misconfigurations, send phishing emails, conduct brute-force password attacks, breach the physical perimeter or do anything else that they believe will give them access to sensitive information.
This is extremely helpful for identifying exactly how vulnerable your organisation is to cyber threats, because crooks are increasingly mixing up their techniques and conducting multi-layered, sophisticated attacks.
Of course, it’s often simply not feasible to go to such lengths every time you want to test the security of your system.
Penetration testing enables you to perform focused tests on specific parts of your organisation. The results are extremely useful for identifying system flaws – the extent of which can often only be identified through testing – and highlighting the steps that need to be taken to address them.
The benefits of this are self-evident, which is why so many data protection laws and frameworks – such the GDPR (General Data Protection Regulation) and the PCI DSS (Payment Card Industry Data Security Standard) – mandate that penetration tests be conducted regularly.
Professional testing with IT Governance
If you’re looking for ethical hacking or penetration testing support, we are here to help.
We have a variety of fixed-price testing packages that are suitable for any organisation that wants to identify the exploitable weaknesses targeted by cyber attackers.
One the test is completed, we’ll provide a report that outlines your top priorities and explains the steps you can take to better protect your organisation.
A version of this blog was originally published on 4 February 2020.
Hey Irwin,
You must have done thorough research on this topic, I was looking for such an explanation for few hours on the internet and I got your article which helped me to get cleared insights about ethical hacking and penetration testing, Event the bonus point is I got differences between them, Thanks a lot for sharing such a grateful article. Keep going
Hi Irwin. Thanks for Certified Ethical Training Course. Keep writing good content.
This is a very nice one and gives in-depth information. I am really happy with the quality and presentation of the article. I’d really like to appreciate the efforts you get with writing this post. Thanks for sharing.
This is one is so helpful I’ve been looking around for the differences between the two I’m interested in the two now I’m glad to be part of the hack world and this article has shaded much light to me thanks …
Nice Article!!!
Thank you for sharing this article it is really helpful to know about the difference between ethical hacking and penetration testing.
Great piece. The fun part is that you get to catch the general overview of it at a glance without struggle. I got certified this year (CEH v11) and going through this article makes me feel refreshed!
A nice piece, thank you for sharing. it’s quite educating
This is one that is so valuable and helpful I’ve been looking around for the differences between the two I’m interested in the two now I’m glad to be part of the hacking world and your blog it was amazing for me thanku so much sir.
I just want to say I am very new to blogs and truly savored your website. More than likely I’m likely to bookmark your website. You amazingly come with superb articles and reviews. Regards for sharing your webpage.
Hello Luke Irwin,
Thanks For Sharing Certified Ethcal hacking Information Very Good article.Thank you so much.