Penetration testing is an interesting subsection of cyber security. Where many areas of cyber security focus on defending networks, penetration testing is entirely about a pen tester breaking into networks and showing how they did it. The discipline is one of the most difficult paths to follow in the security world. It requires knowledge from a vast variety of areas from coding to networking to even technical writing. The main purpose of a penetration test is key, to find weak spots in a controlled environment and exploit them in a controlled manner that does not interrupt a business’ day to day operations. Penetration tests happen every day in industries such as banking or even retail. Without skilled penetration testers, organizations would be at the mercy of hackers and anyone else who decides to exploit vulnerable devices.
Contact LIFARS today and learn more about our Penetration Testing service.
Pen testers come from all over the world and have so many varied backgrounds that no one profile fits the position. In an essence, a pen tester could be anyone, just like a hacker. Though there are more than two types of pen testing, these two are the main ones usually requested:
- White Box – A white box pen test means that the person conducting the test has been given organizational information beforehand that could help them accomplish their goals.
- Black Box – A black box pen test is the complete opposite. These types of pen tests are often the most difficult as only small identifying details such as name and location are given beforehand.
As you can see, there is enough room for variation from pen test to pen test depending on the type. One topic we also need to cover is the difference between a vulnerability scan and a pen test itself. These two terms are very frequently confused, leading to issues when a tester’s results are presented.
Difference between Vulnerability Scans and Penetration Tests
The first difference between these two is that a vulnerability scan is actually not an applied project. Vulnerability scans are precisely what they are called, scans. They are also often a part of penetration tests. Penetration tests are an applied project. In a penetration test, they are more likely to start with a form of scanning in the beginning to then actually exploit what they have found in order to see if they can exfiltrate data.
A pen tester is also more likely to discover unknown vulnerabilities as a vulnerability scan only discovers known weaknesses. This is because pen testers tend to have a strong coding background, therefore they are more likely not to gloss over a flaw in a web application’s code. The best way to visualize this is simple. You can automate a vulnerability scan, but you cannot automate a penetration test. Though this is not to deny that they complement each other more than take away.
What tools can I use?
Many penetration testers tend to use a Linux flavor of their choosing. Though others tend to also use a distribution named “Kali” Linux. This is the most well-known penetration testing distribution out there. It includes many of the most utilized tools in a pen tester’s arsenal. Tools range from the SQL injecting SQLMap to the well known Metasploit Framework. It’s important to note that Kali is not restricted to just those tools and you can modify the distribution as you please.