Choose the best penetration testing method for your company

Even if you stay current with security patches, your network may require penetration testing. Security expert Mike Mullins explores the three most prevalent methods of conducting penetration tests.

Do you conduct penetration testing on your organization's network? Or do you just perform vulnerability assessments? It's important to recognize that there's a difference between the two. Assessments find vulnerabilities; attempting to exploit one of those vulnerabilities is penetration testing.

Penetration testing is an intrusive and potentially disruptive process. But even if your organization stays up-to-date on security patches and follows industry best practices for system configuration, your network might still require penetration testing.

Not sure where to begin? Let's explore the three most prevalent methods of conducting penetration tests.

External penetration testing

When most people think of penetration testing, they usually concentrate on external hackers trying to break into their network. We can divide this external approach into two methodologies.

Black box testing
This method assumes a would-be hacker has no prior knowledge of the network, company, or services it provides. Testing focuses heavily on discovery and determining how information leaks from your company's network.

While this approach might appear to have the most value, that's not always the case. If a black hat is specifically targeting your network, he or she may already possess detailed information about your systems and procedures.

Remember that potential hackers have all the time in the world to conduct their discovery—and they only need one successful test to ruin your production network.

White box testing
This method assumes a would-be hacker has full knowledge of the company's network, including the following:

  • The types of network devices and their configuration
  • The operating systems deployed on servers and workstations as well as their patch level
  • The database and Web platforms deployed throughout the network
  • Firewall models, along with configurations and detailed diagrams of network connectivity

Before undertaking any actual testing, make sure you gather all of these details during the discovery phase.

So which method should your organization pursue? Both have value. However, here's how I advise approaching the process: Assume a potential attacker is a former or current employee with full knowledge of your network. It's important to spend the majority of your time on examining potential exploitation, not discovery.

Get the TR Blog Roundup

Find out who's offering the best advice, the quirkiest comments, and the most compelling life stories every week with TechRepublic's Blog Roundup. Click here to automatically sign up to receive it every Wednesday.

Use tags to find blog posts about Windows and security.

Internal penetration testing

A 2004 study conducted by the FBI and the Computer Security Institute revealed that internal attacks account for more than 50 percent of all organized network security breaches. Because most successful attacks are coming from connections that are inside your perimeter security, common sense says this is where you should perform the bulk of your testing.

Conduct testing from different network access points, and include each logical and physical segment. In addition, pay specific attention to wireless coverage that extends beyond the boundaries of your physical perimeter.

Social engineering

No penetration test would be complete without addressing this nontechnical approach to exploitation. Social engineering preys on human interaction to obtain or compromise information about an organization and its computer systems.

In a social engineering scheme, the attacker relies on human nature to gain access to unauthorized network resources. This could be in the form of eavesdropping or "shoulder surfing" (i.e., direct observation practices) to obtain access. It can also include data aggregation through "dumpster diving" (e.g., looking for passwords written on sticky notes) or talking to multiple sources and building on data from each source until the attacker has enough information to commence an attack.

Final thoughts

Penetration testing should play a role in every company's network security policy. Before you begin penetration testing, your first step should be to obtain management approval and involvement. Define your requirements and your goals, gather your tools, and enjoy the ethical hacking experience.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

Editor's Picks

Free Newsletters, In your Inbox