Paying a hacker to break into your servers sounds like madness. But what if the hacker doesn’t use any of the stolen data? What if he instead gives you feedback on your weaknesses? We’ll tell you why and how companies choose to improve their security with penetration testing.
Penetration testing, also known as pen testing, pentesting or ethical hacking, is an authorized benign attack against a computer system or network that helps to uncover vulnerabilities that might be exploited by hackers in real-world attacks. Pen testing can be used on all or different parts of your network, like application protocol interfaces (APIs), frontend/backend servers, etc.. It can be used to test your web application firewall (WAF) – practically anything that can be hacked.
Many big and small enterprises use network penetration testing to identify unknown security issues and defensive strengths. It’s an essential part of any comprehensive risk assessment. The information gathered from these attacks is used to patch security loopholes and to improve overall network security before any bad actors take advantage of them.
In addition to improving their security, some companies use pen testing as part of their security audits. Some security standards can only be given to companies if a certified penetration test was done.
Pen testing is usually undertaken by external companies that offer penetration test services. Outsiders with little to no knowledge about the target are more likely to spot vulnerabilities compared to developers who created the website or app.
The contractors are usually referred to as “ethical hackers.” Most of them are experienced cybersecurity professionals who specialize in pen testing and have degrees in this field. However, some are self-taught and might even be reformed criminal hackers who have decided to use their skills for good. You can read more about different types of hackers in this post.
There are different types of pen testing techniques, and they are used to achieve different goals.
During this stage, the ethical hacker and the company decide on the scope, the goals, the methods, and the systems that will be tested. The pentester gathers more information about the network and identifies potential vulnerabilities.
During the scanning stage, the pen tester identifies how the target network or application currently responds to intrusion attempts. This is usually done by using:
Now the tester has enough information to try to exploit these vulnerabilities. Their goal is usually to get into the system and steal some sensitive data, disrupt the service, or get admin access and escalated privileges. They can achieve so by using any attack at their disposal, like cross-site scripting, SQL injection, brute-force attacks, social engineering attacks, etc.
Once the hacker is in the system, their job is now to stay there for as long as they can or to extract the most sensitive data they can find. During this stage, the pen tester tries to imitate attacks during which a hacker stays in the system for months unnoticed. As part of this attack, the hacker could also cover their tracks to stay as anonymous as possible, which includes clearing any data gathered, logs, etc.
The last step is to compile all this information – the vulnerabilities, how they were exploited, and how long the hacker stayed in the system – and present them all in a report. Security professionals then analyze these, and the appropriate actions are then taken by the company to patch the new vulnerabilities and improve security controls. The upgrades can include new WAF rules, DDoS mitigation, tighter validations, or new staff training on how to recognize phishing attacks.
In effort to ensure the highest level of security, NordVPN has partnered with VerSprite, a global leader in cybersecurity consulting and advisory services. VerSprite will be performing a comprehensive penetration test, examining our intrusion handling, and providing us with vendor risk assessment. Please stay tuned for the full report.
For more cybersecurity tips, subscribe to our monthly blog newsletter below!