What is Penetration testing or Pen testing? Penetration testing or Pen testing ( or Pen-testing) is an technique to evaluate and examine the security of an IT infrastructure system usually web or network based. It involves simulation of hack attack environment to assess the vulnerabilities in the system. Once an hack environment is set up, now security researchers attempt to exploit security vulnerabilities ( for example : Service flaws, application flaws, OS flaws, improper configurations, end-user behavior i.e. human errors etc.) like real time hackers do and assess its impact on business. Penetration testing help organizations to assess their efficacy of security mechanisms as well as end-user adherence to security policies. It is important for organizations to know that they are vulnerable or not? If yes, what’s the scope i.e. severity of vulnerability and much more. And most importantly how should i mitigate the vulnerabilities in the system if found any.
Most of people are confused with terms Penetration testing and Vulnerability assessment. Vulnerability assessment is basically a subset of Penetration testing i.e. its just a small part of Penetration testing. Major drawback with vulnerability assessment is that its limited to known vulnerabilities i.e. vulnerabilities known for any specific software while Penetration testing explores unknown threats and exploitable exposures for an business. So we can simply say that Penetration testing is Preventive Control while Vulnerability assessment is detective control or in simple words Penetration testing is prevention while Vulnerability assessment is cure and we all know Prevention is better than cure. Its a big topic in itself and we will discuss this in detail in later articles.
Penetration testing or Pen-testing can be classified into multiple categories based on their nature.
Based on process :
1. Manual Penetration testing
2. Automated Penetration testing
3. Combination of both Manual and Automated testing
Based on Strategy :
1. Black Box Penetration testing
2. Grey Box Penetration testing
3. Code Review or White Box Penetration testing
Based on Infrastructure:
1. Network Penetration testing
2. Application Penetration testing
3. Website Penetration testing
4. Physical Penetration testing
5. Cloud Penetration testing
6. Social Engineering Penetration testing
7. Configuration Overview Penetration testing
8. Operating System Penetration testing
There are several other classifications provided by service provides but above 3 covers all of those techniques.
We will discuss all of these in detail in our upcoming articles. So keep connected and keep learning.