Penetration testing is a way for cybersecurity experts to test a system by simulating an attack. It involves intentionally trying to get past existing security, and it can help companies find out if their systems can withstand a hack.
If you’re reading about cybersecurity, the term penetration testing will come up as a way to see if systems are secure. What is penetration testing, though, and how does it work? What kind of people perform these tests?
What Is Pen Testing?
Penetration testing, often referred to as pen testing, is a form of ethical hacking in which cybersecurity professionals attack a system to see if they can get through its defenses, hence “penetration.” If the attack is successful, the pen testers report to the site owner that they found issues which a malicious attacker could exploit.
Because the hacking is ethical, the people performing the hacks aren’t out to steal or damage anything. However, it’s important to understand that in every way besides intent, pen tests are attacks. Pen testers will use every dirty trick in the book to get through to a system. After all, it wouldn’t be much of a test if they didn’t use every weapon a real attacker would use.
Pen Test vs Vulnerability Assessment
As such, penetration tests are a different beast to another popular cybersecurity tool, vulnerability assessments. According to cybersecurity firm Secmentis in an email, vulnerability assessments are automated scans of a system’s defenses that highlight potential weaknesses in a system’s setup.
A pen test will actually try and see if a potential issue can be made into a real one that can be exploited. As such, vulnerability assessments are an important part of any pen testing strategy, but don’t offer the certainty that an actual pen test provides.
Who Performs Pen Tests?
Of course, getting that certainty means that you need to be pretty skilled at attacking systems. As a result, many people working in penetration testing are reformed black hat hackers themselves. Ovidiu Valea, senior cybersecurity engineer at Romania-based cybersecurity firm CT Defense, estimates former black hats could make up as many as 70 percent of the people working in his field.
According to Valea, who is a former black hat himself, the advantage of hiring people like him to combat malicious hackers is that they “know how to think like them.” By being able to get into an attacker’s mind, they can more easily “follow their steps and find vulnerabilities, but we report it to the company before a malicious hacker exploits it.”
In the case of Valea and CT Defense, they’re often hired by companies to help fix any issues. They work with the knowledge and consent of the company to crack their systems. However, there is also a form of pen testing that’s performed by freelancers who will go out and attack systems with the best of motives, but not always with the knowledge of the people running those systems.
These freelancers will often make their money by gathering so-called bounties via platforms like Hacker One. Some companies—many of the best VPNs, for example—post standing bounties for any vulnerabilities found. Find an issue, report it, get paid. Some freelancers will even go so far as to attack companies that haven’t signed up and hope their report gets them paid.
Valea warns that this isn’t the way for everybody, though. “You can work for several months and find nothing. You will have no money for rent.” According to him, not only do you really need to be very good at finding vulnerabilities, with the advent of automated scripts there isn’t much low-hanging fruit left.
How Do Penetration Tests Work?
Though freelancers making their money by finding rare or exceptional bugs reminds a bit of a swashbuckling digital adventure, the daily reality is a bit more down to earth. That’s not to say it isn’t exciting, though. For every type of device there is a set of tests used to see if it can stand up to an attack.
In each case, pen testers will try and crack a system with everything they can think of. Valea emphasizes that a good pen tester spends a lot of his time simply reading reports of other testers not just to stay up-to-date on what the competition may be up to, but also to gain some inspiration for shenanigans of their own.
However, gaining access to a system is only part of the equation. Once inside, pen testers will, in Valea’s words, “try to see what a malicious actor can do with it.” For example, a hacker will see if there are any unencrypted files to steal. If that’s not an option, a good pen tester will try and see if they can intercept requests or even reverse engineer vulnerabilities and maybe gain greater access.
Though it’s not a foregone conclusion, the fact of the matter is that once inside there’s not much you can do to stop an attacker. They have access, and they can steal files and wreck operations. According to Valea, “companies aren’t aware of the impact a breach can have, it can destroy a company.”
How Can I Protect My Devices?
While organizations have advanced tools and resources like pen tests to safeguard their operations, what can you do to stay safe as an everyday consumer? A targeted attack can hurt you just as much, though in different ways than a company suffers. A company having its data leaked is bad news, for sure, but if it happens to people it can ruin lives.
Though pen testing your own computer is probably out of reach for most people—and likely unnecessary—there are some great and easy cybersecurity tips you should follow to make sure you don’t fall victim to hackers. First and foremost, you should probably test any suspicious links before you click on them, as that seems to be a very common way hackers attack your system. And of course, good antivirus software will scan for malware.