Penetration Testing Types
Penetration tests expose an organization’s cybersecurity vulnerabilities so they can be fixed. Here’s what you need to know to capitalize on pen tests.
What are the Types of Pen Tests?
Network Penetration Test
A Network Penetration Test, as the name suggests, involves simulated hack attacks directed at the network of the organization being tested.
The External Network Penetration Test simulates real-life hacker attacks at a network level, in a scenario where the hacker is located outside the organization and its internal network.
The Internal Network Penetration Test, on the other hand, simulates real-life hacker attacks at a network level, in a scenario where the hacker is located inside the organization, connected to its internal network.
Both tests provide insights into how well protected the organization's networks and information resources are from malicious hackers.
Web Application Penetration Test
A web application is an application program that can be accessed through a web server such as online banking, e-commerce websites, and so on. Because these online portals enable a significant number of transactions of highly sensitive information and are typically globally accessible on the Internet, they are a high-value targets for attackers. By conducting Web Application Penetration Tests, organizations can significantly shore up defenses.
This test also includes testing of web services, which are vulnerable because they often interface with other IT solutions to meet business objectives. They are often the most neglected part of the application system because organizations think they are safer than the rest since they cannot be directly accessed through a browser or discovered openly. In fact, web services provide direct and easy access to hackers.
Cloud Infrastructure Penetration Test
Tests of cloud infrastructure identify vulnerabilities, misconfigurations, and implementation flaws. There are several ways in which a Cloud Infrastructure Penetration Test can be performed such as testing publicly available systems or privately held systems hosted within a cloud environment. All tests are performed after obtaining prior approval from the cloud service provider.
ICS/SCADA Penetration Test
ICS/SCADA Penetration Tests target the Industrial Control Systems (ICS) or the Supervisory Control and Data Acquisition (SCADA) systems within an organization. The tests are fully aligned with the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) requirements. These penetration tests require highly specialized skills and specific experience in testing ICS infrastructures.
Social Engineering Test
Social engineering attacks try to dupe computer users into installing malicious programs on their machines or divulging sensitive information. These tests help organizations understand how well their employees are equipped to protect organizational information and resources. Ethical hackers may send fake emails from management, masquerade as a technical support employee, or engage in other phishing schemes to see if employees click through, and accidentally expose the organization’s sensitive data.
PCI Penetration Test
Payment Card Industry Data Security Standard (PCI DSS) requirements mandate that organizations perform comprehensive and detailed infrastructure penetration tests of several types. These tests help organizations attain compliance with PCI requirements by performing ongoing and periodic PCI Penetration Tests that are designed to align with each specific PCI DSS requirement that organizations need to comply with.
Mobile Application Penetration Test
Mobile applications (“apps”) have become a crucial part of our lives. We use them for banking, ecommerce, messaging, maps, email and scores of other things. Unfortunately, they also provide additional entry routes to hackers. A Mobile Application Penetration Test allows organizations to assess their mobile application infrastructure.
Physical Site Penetration Test
Testing the physical defenses of an organization helps ensure that data can’t be exploited via gaps in physical controls and security. Investigators test whether individuals can gain physical access to the organization’s sensitive information and storage areas.
Regulatory Compliance Penetration Test
Many organizations are regulated by data laws such as GLBA, HIPAA, GDPR, HITECH, FACTA, FERPA, BSA, and so on. Most regulations directly or indirectly require organizations to perform ongoing and periodic penetration tests of the technical infrastructure that houses sensitive information. Regulatory Compliance Penetration Tests help organizations achieve compliance objectives by performing penetration tests completely tailored to the specific requirements of the applicable regulations.
IoT Penetration Test
The Internet of Things is the network of devices such as vehicles and home appliances containing electronics, software and sensors that allow these things to connect, interact and exchange data. Ethical hackers identify vulnerabilities within IoT infrastructures that could potentially lead to a data breach – or worse.
Wireless Network Penetration Test
A Wireless Network Penetration Test simulates attacks on an organization's wireless network in a scenario where the hacker is within the range of the wireless network.
New Technology Test
As technology continues to churn out new gadgets and gizmos, there are more things to test. Remember, anything that is connected to your organization’s network can exchange information with it. And if it can exchange information, it can be hacked, compromised, and leveraged to gain more unauthorized access in your organization.