Question 1

What is Penetration Testing?

Accepted Answer

A penetration test emulates methods used by real-world hackers to assess the security measures protecting a computer system or information resource.  The process involves cyber experts - called ethical hackers - getting into the mindset of a hacker and launching attacks to identify an organization’s likely vulnerabilities.

They contemplate: If hackers attacked, what method would they use? What time would they attack? What entry point would they use? Cyber experts simulate these attacks, identify how they got inside and recommend fixes to exploited vulnerabilities.

Question 2

Why is Penetration Testing Needed?

Accepted Answer

Hackers, as an adversary, are quite a handful for organizations. They have the elements of surprise and stealth, and they can simply choose to retreat and attack again at will. Organizations, on the other hand, have none of these luxuries. They’re effectively left to defend a fortress against any type of attack, from any direction, at any time.

But organizations do have a way to prepare and fight back. It’s called penetration testing. The goal of penetration testing is to assess the security measures protecting an information resource by emulating the methods used by real-world hackers. As a result, organizations can discover weaknesses in technical infrastructure and measure their resistance to hacker attacks.

Question 3

What is a "White Box" Penetration Test?

Accepted Answer

The “white box” penetration test is where the tester is given all information about the information resource being attacked.

A white box penetration test may be more comprehensive and unearth more vulnerabilities since the “attacker” has so much advance information about the target.

Question 4

What is a "Black Box" Penetration Test?

Accepted Answer

The “black box” penetration test is exactly the reverse – the tester is given no information about the information resource being attacked.

A black box penetration test may offer a more “real world” scenario wherein the malicious hacker has no advance knowledge about the organization’s technical infrastructure.

Question 5

What is a "Grey Box" Penetration Test?

Accepted Answer

The “grey box” penetration test is a middle ground wherein the tester is given some information.

A grey box penetration test is often the best route to take since malicious hackers are bound to have gathered at least some information about their target.

Question 6

What is a Network Penetration Test?

Accepted Answer

A Network Penetration Test, as the name suggests, involves simulated hack attacks directed at the network of the organization being tested.

The External Network Penetration Test simulates real-life hacker attacks at a network level, in a scenario where the hacker is located outside the organization and its internal network.

The Internal Network Penetration Test, on the other hand, simulates real-life hacker attacks at a network level, in a scenario where the hacker is located inside the organization, connected to its internal network.

Both tests provide insights into how well protected the organization's networks and information resources are from malicious hackers.

Question 7

What is a Web Application Penetration Test?

Accepted Answer

A web application is an application program that can be accessed through a web server such as online banking, e-commerce websites, and so on. Because these online portals enable a significant number of transactions of highly sensitive information and are typically globally accessible on the Internet, they are a high-value targets for attackers. By conducting Web Application Penetration Tests, organizations can significantly shore up defenses.

This test also includes testing of web services, which are vulnerable because they often interface with other IT solutions to meet business objectives. They are often the most neglected part of the application system because organizations think they are safer than the rest since they cannot be directly accessed through a browser or discovered openly. In fact, web services provide direct and easy access to hackers.

Question 8

What is a Cloud Infrastructure Penetration Test?

Accepted Answer

Tests of cloud infrastructure identify vulnerabilities, misconfigurations, and implementation flaws. There are several ways in which a Cloud Infrastructure Penetration Test can be performed such as testing publicly available systems or privately held systems hosted within a cloud environment. All tests are performed after obtaining prior approval from the cloud service provider.

Question 9

What is a ICS/SCADA Penetration Test?

Accepted Answer

ICS/SCADA Penetration Tests target the Industrial Control Systems (ICS) or the Supervisory Control and Data Acquisition (SCADA) systems within an organization. The tests are fully aligned with the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) requirements. These penetration tests require highly specialized skills and specific experience in testing ICS infrastructures.

Question 10

What is a Social Engineering Test?

Accepted Answer

Social engineering attacks try to dupe computer users into installing malicious programs on their machines or divulging sensitive information. These tests help organizations understand how well their employees are equipped to protect organizational information and resources. Ethical hackers may send fake emails from management, masquerade as a technical support employee, or engage in other phishing schemes to see if employees click through, and accidentally expose the organization’s sensitive data.

Question 11

What is a PCI Penetration Test?

Accepted Answer

Payment Card Industry Data Security Standard (PCI DSS) requirements mandate that organizations perform comprehensive and detailed infrastructure penetration tests of several types. These tests help organizations attain compliance with PCI requirements by performing ongoing and periodic PCI Penetration Tests that are designed to align with each specific PCI DSS requirement that organizations need to comply with.

Question 12

What is a Mobile Application Penetration Test?

Accepted Answer

Mobile applications (“apps”) have become a crucial part of our lives. We use them for banking, ecommerce, messaging, maps, email and scores of other things. Unfortunately, they also provide additional entry routes to hackers. A Mobile Application Penetration Test allows organizations to assess their mobile application infrastructure.

Question 13

What is a Physical Site Penetration Test?

Accepted Answer

Testing the physical defenses of an organization helps ensure that data can’t be exploited via gaps in physical controls and security. Investigators test whether individuals can gain physical access to the organization’s sensitive information and storage areas.

Question 14

What is a Regulatory Compliance Penetration Test?

Accepted Answer

Many organizations are regulated by data laws such as GLBA, HIPAA, GDPR, HITECH, FACTA, FERPA, BSA, and so on. Most regulations directly or indirectly require organizations to perform ongoing and periodic penetration tests of the technical infrastructure that houses sensitive information. Regulatory Compliance Penetration Tests help organizations achieve compliance objectives by performing penetration tests completely tailored to the specific requirements of the applicable regulations.

Question 15

What is a IoT Penetration Test?

Accepted Answer

The Internet of Things is the network of devices such as vehicles and home appliances containing electronics, software and sensors that allow these things to connect, interact and exchange data. Ethical hackers identify vulnerabilities within IoT infrastructures that could potentially lead to a data breach – or worse.

Question 16

What is a Wireless Network Penetration Test?

Accepted Answer

A Wireless Network Penetration Test simulates attacks on an organization's wireless network in a scenario where the hacker is within the range of the wireless network.

Question 17

What is a New Technology Test?

Accepted Answer

As technology continues to churn out new gadgets and gizmos, there are more things to test. Remember, anything that is connected to your organization’s network can exchange information with it. And if it can exchange information, it can be hacked, compromised, and leveraged to gain more unauthorized access in your organization.

Question 18

How to Pick a Penetration Testing Company

Accepted Answer

Penetration testing is one of the best ways to assess cybersecurity defenses. But managing these penetration tests is a process that you need to get right in order to best reap its benefits. It is important to select a team with:
Deep experience in your specific industry;
A plan to keep your data secure during testing;
Methodologies based on industry best practices;
Sample reports for your review; and
A commitment to re-test

Question 19

What is Social Engineering?

Accepted Answer

Social engineering assessments emulate the coercion and manipulative techniques hackers use to trick employees into unwittingly breaching an organization’s cyber defenses. The assessments help organizations identify human vulnerabilities so they can be remediated through training and improvement in the level of cybersecurity awareness among employees.

The training addresses specific weaknesses so organizations can shore up defenses. Customized Security Awareness Training generates maximum ROI by focusing on areas where each employee is weak rather than relying on a one-size-fits-all approach.

Question 20

What is Phishing?

Accepted Answer

Phishing is when attackers use emails, social media, instant messaging, or SMS to trick victims into divulging sensitive information or clicking on malicious links. Phishing emails are crafted to create a sense of urgency to get the victim to act.

Question 21

What is Vishing?

Accepted Answer

Vishing is a social engineering attack that tricks victims into divulging personal or sensitive information over the phone. Attackers will typically spoof their caller ID to make it appear calls are coming from a legitimate source, such as the IRS. The attacker then threatens adverse action if the victim doesn’t provide a payment and key in credit card details.

Question 22

What is Spear Phishing?

Accepted Answer

Spear phishing attacks target a specific person, business, or organization. The cybercriminals research their targets and then craft tailored attacks to trick victims into thinking they are receiving, for example, a legitimate wire request from a colleague or client. The tailoring and customization involved in spear phishing brings higher success rates for attackers.

Question 23

What is Smishing?

Accepted Answer

That’s short for “SMS phishing” – a social engineering attack that hackers use to target victims on their phones via SMS. This technique is essentially phishing but carried out over text (SMS) messages. Just like email phishing scams, the SMS will typically have a malicious link that, when clicked, downloads malware onto the device or leads the victim to a page that attempts to steal her/his credentials.

Question 24

What is Baiting?

Accepted Answer

In this technique attackers use “bait” to lure victims. The bait could be USB pen drives, CDs, DVDs, and so on. First, the attacker gains access to the victims’ workplace to place the bait in strategic locations where a victim is most likely to fall for it. For instance, the attacker may leave on a cafeteria table a CD that says “Layoffs – Employee List.” A curious employee who comes across the CD would likely insert the CD in a computer, allowing malware on the CD to spread into the organization’s technical infrastructure.

Question 25

What is Tailgating?

Accepted Answer

In tailgating, an attacker tries to enter a secure area that requires an access card. The attacker typically waits for someone with an authorized access card to come along and then manipulates the person into believing that s/he mistakenly left her/his access card inside. The person with the access card might then help the attacker gain unauthorized access to a secure area. With tailgating, attackers try to exploit the helpfulness in human nature.

Each Friday, we provide readers with the top 8 breaking news articles related to privacy, IT security, data breaches and compliance. Quick reads, important insights.

Penetration Testing

Penetration tests expose an organization’s cybersecurity vulnerabilities so they can be fixed. Here’s what you need to know to capitalize on pen tests.

What is Penetration Testing?

Why is Penetration Testing Needed?

Pen Test Resources

What are the Phases of Penetration Testing?

1. The Planning Phase

What are the Benefits of Each Pen Testing Approach?

2. The Reconnaissance Phase

3. The Intrusion Phase

4. The Reporting Phase

5. The Re-Testing Phase

Did you find this helpful?

See our resources on other key cybersecurity topics

SOC Compliance Services

PCI Compliance

Digital Forensics

Security Awareness Training