A penetration test (in the IT vernacular referred to as a "pen test") is also known as "ethical hacking", and this network security tool provides an essential function in vulnerability assessment. By actively seeking out and deploying attacks and penetration efforts against your network, you are more likely to uncover vulnerabilities and be able to take action to block holes in your security and pre-empt attacks on the perimeter defences.
Penetration testing includes both script-based and human-based attacks on the network in order to seek out and exploit vulnerabilities. The difference between this and say, criminal hackers looking to cause mischief or theft of data, is that you control the "attacker". The "attacker" reports back to you on whether they were successful and if so, how to stop such an attack from being successful in real-life. Penetration testing will reveal network security holes but more than this, it will be able to provide you with a realistic risk assessment including the impact on your business should such an attack succeed. Knowing what such an attack may cost your business will provide you with the ability to quantify the business risk and determine whether you do in fact, need to implement a solution.
"Black Box Testing" involves a penetration test where the attackers have no knowledge of the network infrastructure. They are working from what a real, external hacker would be using - online connectivity and any human intelligence or reliance on human nature, in order to discover vulnerabilities.
"White Box Testing" involves attackers who have full knowledge of the network infrastructure and are seeking out vulnerabilities and scenarios to take advantage of perceived weaknesses.
An intermediate form exists, known as "Grey Box Testing" where some knowledge is provided, known also as "partial disclosure".
The aim of these differing forms of testing is to compel imaginative ways to hack into the network, compromising network security. While having full knowledge of a system may lead the ethical attacker to use an obvious defect in network security, they may pass over and completely miss a less obvious but more severe vulnerability. Blind or black box testing does not allow for precise testing of certain components of the network because they don't know how the network is established but, this form of testing does lead to more imaginative attack scenarios being developed and hence, a more realistic prospect of stopping a real attacker with mischief in mind.
Penetration testing should be a regular scheduled activity and performed at least once a year and every time the network infrastructure is added to or changed. Penetration tests are also a serious component of risk audits conducted to determine network operation and integrity. Script-based penetration testing is relatively inexpensive because of the level of automation involved and is eminently suitable for white box testing. Black box testing, on the other hand, is labor intensive because it involves real people emulating real life hackers and such a penetration test will involve more than simply running an online attack against the network, for instance, rummaging through company trash for computer information, and this dramatically increases the cost.
Lawrence Reaves works for PLANIT Technology Group, a leading provider of Richmond network security, Virginia Beach enterprise storage, and many other services. PLANIT can be found online at: PLANITTech.com.