How to Describe a Penetration Test to a Non-Technical Person
As you might imagine, penetration testing is an extremely technical field that leverages state of the art technology and concepts. With that in mind, it is not always easy to describe a penetration test, what penetration testing consists of, and what they can achieve to non-technical individuals. This includes members of senior management, board members, and departments of your organization.
The Basics
What is a penetration test?
A penetration test is an assessment to test the security of a particular asset by an ethical hacker. The asset could be a physical building, a website, your network, etc. The person performing your test emulates a malicious hacker to understand what vulnerabilities are present and what the risk associated with them is. The big difference is that a penetration tester has gone through a vetting and is on the good side, working to better secure organizations.
What is the difference between a scan and a penetration test?
Whereas penetration testing includes manual identification, review, and exploitation of vulnerabilities, a vulnerability scan tries to simply identify issues in an automated fashion.
Why do we need a penetration test?
A penetration test is crucial to ensuring your assets are protected. By maintaining proper security hygiene, you are reducing the odds of being compromised by someone with malicious intent. While a vulnerability scan is a step in the right direction, a penetration test takes it a step further and helps determine realistic risk.
Types of Penetration Tests:
Now that we have the basics covered, lets cover some of the types of penetration tests and the main questions they look to address:
External Penetration Test
Question: Can a hacker on the Internet break into my network?
Answer: An external penetration test emulates an attacker trying to break into your network from the outside. The goal of the engineer performing this assessment is to breach the perimeter and prove that they can gain access to the internal network.
Internal Penetration Test
Question: Once an attacker breaks into my network, what damage can they cause? If an internal employee goes rogue, what can they access?
Answer: An internal penetration test emulates an attacker on the inside of your network. This could be either an attacker who is successful in breaching the perimeter through another method or a malicious insider. The goal of the engineer in this module is to gain root and/or domain administrator level access on the network, and gain access to sensitive files
Web Application Penetration Test
Question: Is my web application secure and what could an attacker do to my organization’s website?
Answer: This assessment will perform an in-depth vulnerability assessment and penetration test on both the unauthenticated and authenticated portions of the target web application. The engineer will test for all of the OWASP Top-10 critical security flaws, as well as a variety of other potential vulnerabilities based on security best practice.
Wireless Penetration Test
Question: Can a hacker break into my network from the parking lot?
Answer: A wireless penetration test is a comprehensive evaluation of the wireless networks in your organization using automated and manual methods.
Physical Penetration Test
Question: Can an attacker physically break into my building?
Answer: A physical penetration test is an assessment of the physical security of your premises. Our engineers will attempt to gain access to your facility by identifying weaknesses and/or using social engineering. Once inside, our engineers will attempt to gather sensitive information, gain access to sensitive areas such as the data center, and attempt to gain internal network access.
Hopefully this gives you a solid understanding of how you might describe a penetration test to someone and convey some of the different types of testing that are out there. Contact us to learn more about these different types of assessments in more detail.