Penetration Testing Best Practices in 2022

Penetration testing is one of the most effective ways organisations can protect their sensitive data. And with more than 5 billion records breached last year, costing businesses $4.24 million (about €3.71 million), it’s essential that you act now.

In this blog, we explain how penetration testing works and look at some best practices to help you bolster your defences.

What is penetration testing?

Penetration testing is a type of security assessment in which a security professional probes an organisation’s systems looking for vulnerabilities. Assessments replicate the methods used by criminal hackers, giving organisations a real-world insight into the way a malicious actor might target their systems.

Tests are usually performed via on-site audits of the organisation in question. The assessor, known as a ‘pen tester’ or an ‘ethical hacker’, is given access to privileged information and attempts to leverage it to access sensitive information.

The techniques used will depend on the type of assessment, but testers typically search for:

  • Inadequate or improper configuration;
  • Hardware or software flaws;
  • Operational weaknesses in processes or technical countermeasures; and/or
  • Employees’ susceptibility to phishing and other social engineering attacks.

Although some organisations express concern about letting someone exploit their systems, there is nothing to worry about provided you use a testing provider that’s been certified by CREST.

Testers are obliged not to misuse or retain copies of any information they access, and they typically perform their assessments outside business hours to minimise disruption to business processes.


Free PDF download: Assured Security – Getting cyber secure with penetration testing

You can learn more about penetration testing and ethical hacking by downloading Assured Security – Getting cyber secure with penetration testing.

This free green paper explains in detail how penetration testing works and the different types of assessment that might be right for your organisation.


Types of penetration test

There are several types of penetration test designed to assess different parts of an organisation. The most common forms of penetration test are:

  • External network tests, which look for vulnerabilities in an organisation’s servers, hosts, devices and network services.
  • Web application tests, which look for insecure development practices in the design, coding and publishing of software or a website.
  • Internal network tests, which assess the damage an attacker could cause when they access an organisation’s internal systems.
  • Social engineering tests, which assess employees’ susceptibility to fraudulent emails.
  • Wireless network tests, which assess vulnerabilities in wireless systems such as Wi-Fi and rogue access points.

Penetration testing strategies

Before a penetration test, organisations must choose how much information to give to the tester.

The more information that’s provided in advance, the more thorough the examination will be. However, giving less information will result in a more accurate simulation of a real-world attack, because the tester must obtain information in the same way that a criminal hacker would.

When choosing how much information to give to testers, organisations can specify one of three options. On one end of the scale are black-box assessments, in which the penetration tester is given no information about the organisation’s internal systems.

On the other end are white-box assessments, in which the tester is given full access to the organisation’s source code and the environment of its IT infrastructure.

Between these are grey-box assessments, in which the tester has partial knowledge of or access to the organisation’s infrastructure. Certain details may be revealed to save time, with the assumption that the tester or criminal hacker has the wherewithal to access that information eventually.

What should a penetration test include?

Penetration tests typically follow a four-step process

1. Planning

Before a test, organisations must work with the penetration tester to define the scope, approach, goals and limitations.

This includes determining whether it will be a black-, white- or grey-box test, as well as agreeing on basic logistical issues. For example, will the test be conducted outside of business hours and will relevant employees be notified

2. Discovery

The penetration tester prepares their attack, collecting and assessing as much information about the organisation as possible.

If it’s a white-box assessment, the organisation will have prepared the relevant information, and the penetration tester simply has to review it. For black- and grey-box assessments, the tester might scan for open ports, check for vulnerabilities or target employees with phishing emails.

3. Attack

Once the tester has gathered the necessary information, they will begin their attack. The specifics will depend heavily on the type of penetration test and the vulnerabilities that the tester has discovered.

In all cases, though, the tester’s goal is to replicate the actions of a criminal hacker, accessing resources, functionality and sensitive information.

4. Reporting

After completing their assessment, the penetration tester will create a report outlining the information that they were able to access and the vulnerabilities that they found.

Crucially, the report will also contain detailed recommendations on what the organisation can do to address its weaknesses and prevent a real attack.

Penetration testing with IT Governance

If you’re looking for ethical hacking or penetration testing support, we are here to help.

Our CREST-accredited penetration testing services have been developed to align with your business requirements, budget and value you assign to the assets you intend to test.

We have a variety of fixed-price packages that are suitable for any organisation that wants to identify the exploitable weaknesses targeted by cyber attackers.

And with both on-site and remote testing options available, we can assess your networks in whichever way you find most convenient.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.