6.02 - Penetration Testing

A penetration test is an authorised attempt to gain access to a network without the normal means of access.

Essentially, a penetration test is conducted by an ethical ("white-hat") hacker mimicking what an actual ("black-hat") hacker would do in order to get into the network. This is done in order to test the security of the network.

Some penetration tests will also test an organisation's staff to see how likely they are to fall for social engineering (see 6.03) tricks.

There are two types of penetration tests:

In a black-box penetration test, the ethical hackers are given no information at all about the network.

The objective is to see how much damage an external hacker could do to the network. The test initially involves looking for a way into the network.

In a white-box penetration test, the ethical hackers are given some knowledge about the network.

This could potentially include IP addresses or even login credentials. The objective is to see how much damage a malicious insider (someone already on the network) could do to the network.

Why should an organisation perform a penetration test?

To avoid data breaches, test security controls, and ensure that the organisation isn't at risk of breaking the law.