What is 'Pen Testing' and do I need it?

By Michael Spalter
June 2020

About the author

Michael Spalter

Michael Spalter

Michael Spalter has been a networking technician for over 30 years and has been the CEO of DrayTek in the UK since the company’s formation in 1997. He has written and lectured extensively on networking topics. If you’ve an idea for a blog or a topic you’d like explored, please get in touch with us.

According to reports, “the proportion of attacks targeting home workers increased from 12% of malicious email traffic before the UK’s lockdown began in March [2020] to more than 60% six weeks later.”  With increased teleworking, it becomes harder to maintain a uniform and properly enforce security policy.  There are also far more potential vectors for attack (your “attack surface” increases). With that in mind, it may be a good time to consider having your systems, processes and people policies assessed by professionals to identify potential vulnerabilities which can be addressed.

Penentration (or 'Pen') Testing is the process of testing your network and computer infrastructure for vulnerabilities. You can do this yourself, use automated tools or contract an external team to test your systems.  Physical and IT hardware are essential parts of your network and computer security, but with infinite variables and combinations of devices and services, testing systems once they are all working together can be essential for any organisation handling sensitive or valuable data.

Human vs. Automated Pen Testing

A Pen Test may be carried out by a skilled network engineer manually running through tests or it may be a fully automated process where common vulnerabilities are tested for.  A human tester has the benefit of tailoring the tests specifically for each system, having assessed which processes and services are in use. He/she can then run further tests based on the results of the first tests or on what has been discovered. This is always going to be more comprehensive and reliable than an automated test, however is considerably more labour intensive and therefore costly.

Human Pen Tester

Most human testers will also use many automated tests to iterate tests and run standard test scripts.  They will start with planning and reconnaissance, to learn as much about your systems - the specific software and hardware in use before planning their attacks.  Your 'attack surface' is considered the collective public-facing or accessible front end to your systems - every web site, FTP server, VPN portal, mail server but also dependencies such as your domains and DNS systems.  As well as checking for known vulnerabilities in your front ends, such as memory buffer over-runs, cookie manipulations, SQL injections, XSS (Cross Site Scripting) etc, a skilled tester will also use a web application proxy to examine the data sent to your users' browsers and your server.

Automated tools, on the other hand, will run through a series of scripts, testing for common vulnerabilities within libraries which can be loaded. Automated tools are available commercially and some free of charge, however before you invite a web site to probe you - giving them permission to potentially expose or destabilise your systems, you should ensure you know who you're engaging with. Check independent reviews, their location, history or any other information you can find on them.

In all testing, you should also ensure that you yourself have appropriate authority within your own organisation - i.e. check that your own bosses know that you're requesting or carrying out testing. If you accidentally shut down your employer's entire ecommerce site, you'll have questions to answer, even if you had the best intentions.

Common attacks, which can be attempted by even the most basic hacker with off-the-shelf scripts will include cross-site scripting or SQL-injection attacks. A good web application will sanitise all input, but not every developer does, or remembers to do this every time.

White Hat vs. Black Hat

A human Pen Tester may sometimes be known as a "white hat hacker". They are contracted by companies or organisations to test the systems and report back on any vulnerabilities or weaknesses found.  A Pen Tester will have a clear contract stating what they can and can't do (for example, not damaging data or causing malfunction of crucial services) and they will also have clear permission from an appropriate level so that if their attempted attacks are detected, they can prove to the authorities that they are acting with permission.

A black hat hacker is the other type - a criminal who will test systems to find weaknesses and then exploit them for fraud, theft, mischief or to sell details of the vulnerability to other criminals in the hacking underworld. All types of hackers will convene on boards or messaging services to exchange information (for good or bad) and there are various marketplaces for vulnerabilities. If a black hat (criminal) discovers a zero day vulnerability, say, he/she may try to find a buyer.  If a white hat discovers one, he or she will notify the owner, service provider or vendor and hopefully they will fix it.

Physical Pen Testing

Physical Pen Testing

Whilst we've referred to testing systems, which will generally be carried on your network from outside, or inside, one of the most common security weaknesses is not the IT systems at all, but your people or physical security. Some security firms will test your physical security (doors, locks, monitoring) and also employee policies and habits.  If someone can easily bypass your fire door push bar ('crash bar') by slipping a wire pull through the crack from outside, they're inside - able to insert keyloggers, wireless devices or anything they like onto an available socket.

Social Engineering

Social Engineering attacks are those where people are tricked or feel obliged to cooperate through social norms. 

To get inside a building, a common method is a hacker placing himself at the rear entrance of a building, smoking. He waits for another smoker to come out and when that smoker goes back in, before the door closes, put out his own cigarette and walks into the building nonchalantly. The employee doesn't even think about it and even if they do, few employees will want to be 'that guy' who asks someone to ID themselves and mentally - they'd rather take a risk than be embarrassed.  This type of entry has been so widely documented but remains effective.

During the 2020 pandemic, countless workers found themselves working from home which increased the potential for social engineering as more non-technical users were now responsible for IT security in their own homes and, in many cases, using their own equipment, often shared with other household members. Working methods were quickly evolving so it became harder to spot unusual or suspicious signs – everything was unusual during the pandemic.

What to do with your Pen Test Report

Your pen tester will provide you with a report and, most likely, go through it with you.  There will be problems listed and suggested remedies.

Any thorough pen test is, most likely, always going to find some 'problems'. They will be of differing severity.  Some recommendations may be best practice but not expose a serious or real problem, or they provide no real risk once context is considered. Some systems may not be fixable as what is considered a vulnerability is necessary for operation of your services, but ensure that the risk has been sufficiently mitigated. It's vital that the right people read and interpret the pen test report.  Once you believe that you have taken the right remediate action, you may invite your pen testers to test again (that may be part of the original package, but check).   After that, re-test regularly.  Even if the systems you use are unchanged, new firmware or patches may introduce new vulnerabilities.

Before you recruit a professional pen tester, check your systems yourself. Run some automated scanners and test tools. Check your web code for input sanitisation etc.  Check all systems are up to date and any dependent libraries are up to date. Close ports that you don't need. Stop obsolete services, protocols or ports from being open (PPTP, SSL3, WPA etc.). You may be able to fix such low hanging fruit yourself, otherwise the pen test report may be unnecessarily long and more obscure, complex vulnerabilities may be missed.

PCI DSS Testing

If your business accepts card payments online, the terms with your card processing company will mandate compliance with the PCIDSS (Payment Card Industry Data Security Standard). This is a set of minimum requirements to secure your systems against breaches, and protect customer's credit card data.  As part of the obligations, you will have to contract an approved testing company to carry out regular external probes against your public facing services/servers. You also have to certify various other best practices are in place.  The testing company will check for non-compliance, prohibited/obsolete protocols/ports and provide a report of any issues that need to be remedied.  Although this could be considered a type of Pen Test, it is automated and has a specific fixed remit. It's not bespoke and there's no tailored reconnaissance so it's not equivalent to or a substitute for a full Pen Test.

Hacking in Popular Culture

The TV series 'Mr. Robot' is brilliant and disturbing and, for once in a TV show, gets the tech right. So much of what the protagonist, a hacker, does reflects real world methods and if you care about security you can actually learn from the show.   One final take away for you is that hackers don't all have unkempt hair,  wear  scruffy T-shirts and yell " I'm in! " whilst looking at a screen of green text and swirling wireframes on the screen.


penetration testing