Skip links

What is a penetration test and what is involved?

Here at illume we specialise in helping businesses stay safe in the face of an ever-growing cybersecurity threat, with a broad range of services, including a number of different penetration tests, and vulnerability scanning.

With almost daily news reports about ransomware attacks on every type of organisation, from global law firms to local schools, it is of

little surprise that information about what protection is available, suitable, and effective is being sought by those tasked with keep their organisation’s data safe. In response, we have pieced together this guide to penetration testing

Penetration testing is a common term when it comes to defending systems and networks against cyber criminals. There is some confusion as to what exactly a penetration test is, what’s involved and what benefits are accrued.

How does penetration testing work?

Penetration testing is performed by experienced security professionals, who use the same tools and methods as the cybercriminals, to try and find vulnerabilities in your system architecture, albeit in an inert and non-destructive way. Vulnerabilities are the weak spots that could be exploited by the cybercriminals, if they find them first.

What types of penetration test are available?

There are a number of different tests that can be ordered from security professionals like us, including, Internal Penetration Testing, External Penetration Testing and Web Application Penetration Testing.

Each has its specific use and benefit, which we’ll look at in a series of blogs in the coming weeks, but in short, internal testing assesses the infrastructure that is ‘inside’ the corporate network, assessing the risk posed by virus/malware outbreaks, rogue employees and physical intruders.

External testing assesses the infrastructure accessible by the internet and assesses the risk of criminals identifying them and exploiting vulnerabilities, or through phishing attacks on employees.

Web application testing is undertaken remotely and is designed to find vulnerabilities in websites, dashboards and web applications. The discovered vulnerabilities are often different to those seen during infrastructure testing, with many vulnerabilities being unique to web applications. Web application testers will seek out logic flaws which could allow an attacker to gain unauthorised access to the website, make changes to pages, or even gain access to the server on which the web application resides.

Penetration testing can also optionally include social engineering. Testers will send phishing emails to staff members, to try and obtain credentials. Penetration testing is always tailored to the client’s organisation and typically, no two tests are identical.

What does a penetration test report contain?

Regardless of which test you choose; a comprehensive report will follow. The report will often start with an executive summary; The executive summary provides a board-level overview of the findings, including the severity of vulnerabilities found, and the potential impact to the business, should an attacker leverage them.

The report will then go on to describe the finding in more detail. Each vulnerability is described in detail, along with its risk profile, solutions/remediation steps and a list of the affected hosts.

Our expert testers will also upload vulnerabilities in real time to an interactive secure dashboard. The Vulnerability Management Platform (VMP) allows you to assign vulnerabilities to users within your team, filter by test/host and track the vulnerabilities as they are resolved, making for a far quicker closing of the holes in your defences.

Is penetration testing good value?

At a time when organisations face a raft of unexpected cost related to the pandemic, new flexible working arrangements and possible insurance cost rises, it can be easy to see penetration testing as just another unwanted expense. But ignoring it could prove far more costly.

Effective penetration testing requires experience, detailed knowledge of infrastructure and systems architecture, allied to a range of skills possessed by only specialist security professionals. It must now be considered just another cost of doing business in the current age.