Network penetration testing is, essentially, permissible hacking. This form of testing involves hacking into a computer network to find system vulnerabilities. While it can be a lengthy process, it is essential to verify the integrity of secured data management.
Types of Testing
Some professionals classify external testing as part of penetration testing, and this can be the case. However, checking for weaknesses in the system and not taking advantage of them is more of a vulnerability assessment than a penetration testing.
Typically, the top layer of testing involves retrieving basic information from the servers: IP addresses, server name, operating system, etc. This helps the testers/hackers gain as much information as possible about the environment they are breaking into. Once they have this information, they can use known weaknesses to infiltrate the network. If these do not work, then they start finding creative ways to get in.
Penetrating the server is the next step. Companies typically contract third-party entities to perform the testing. There can be trust issues, though. The company will either ask for the third-party company to find the weakness and report it but not take further action, or it will ask the third-party tester to find the weakness and exploit it as much as possible. It depends whether the company can accept letting someone break into their servers and find all the weaknesses. The more secure the data, the less likely the corporation will want its information exploited.
The hacker/tester does not log in and immediately crash into the system. According to the SANS institute, the tester takes his time to get in, just like a real hacker would. The key process is not to break in but to get in without being noticed. This can take time. The tester will first learn the system and find a way to get in. Once he can do that, he can come back and find the greatest vulnerabilities at his leisure. After he locates the weaknesses, the tester can determine the best route to extract the data from the server.
Once all vulnerabilities are found, the tester sends the information to developers so they can fix the problems. Hackers find new ways into corporate servers all the time, so it is important that companies stay diligent in their testing. This type of testing must be ongoing.
Network penetration testing is important for any company that stores customer data or other secured files. Hiring a full-time employee to perform the testing is not common practice. It is too easy for people to become complacent in their day-to-day duties. This type of testing requires a new set of eyes every couple of months to find what others may not have found.
Photo credit: Flickr/BobMical