Penetration testing, or pen testing, is the process of attacking an enterprise's network to find any vulnerabilities that could be present to be patched. Ethical hackers and security experts carry out these tests to find any weak spots in a system’s security before hackers with malicious intent find them and exploit them. Someone who has no previous knowledge of the system's security usually performs these tests, making it easier to find vulnerabilities that the development team may have overlooked. You can perform penetration testing using manual or automated technologies to compromise servers, web applications, wireless networks, network devices, mobile devices, and other exposure points.
There are many types of penetration testing. Internal penetration testing tests an enterprise's internal network. This test can determine how much damage can be caused by an employee. An external penetration test targets a company's externally facing technology like their website or their network. Companies use these tests to determine how an anonymous hacker can attack a system. In a covert penetration test, also known as a double-blind penetration test, few people in the company will know that a pen test is occurring, including any security professional. This type of test will test not only systems but a company's response to an active attack. With a closed-box penetration test, a hacker may know nothing about the enterprise under attack other than its name. In an open-box test, the hacker will receive some information about a company's security to aid them in the attack.
Penetration tests have five different stages. The first stage defines the goals and scope of the test and the testing methods that will be used. Security experts will also gather intelligence on the company's system to better understand the target. The second stage of a pen test is scanning the target application or network to determine how they will respond to an attack. You can do this through a static analysis of application code and dynamic scans of running applications and networks. The third stage is the attack phase, when possible vulnerabilities discovered in the last stage are attacked with various hacking methods. In the fourth stage of a penetration test, the tester attempts to maintain access to the system to steal any sensitive data or damaging systems. The fifth and final stage of a pen test is the reporting phase, when testers compile the test results.