By IT Brew Staff
less than 3 min read
Definition:
Penetration testing, also known as pen testing, is when a cybersecurity expert launches a fake cyberattack on a network, application, or individual device to assess its vulnerabilities. Pen testing can help organizations quickly identify and fix problems in their cyber defenses. For some industries, it’s even a regulatory requirement; for example, the Payment Card Industry Data Security Standard (PCI DSS) demands that any organization that stores and processes credit card holder data must conduct regular pen tests.
There are several different types of penetration testing, including:
- Application pen testing. Cybersecurity experts attempt to find the flaws in applications and websites, including cloud apps and IoT apps.
- Network pen testing. Cybersecurity experts launch a simulated attack on an organization’s network. These attacks can be “external” (simulating an attacker trying to penetrate the network from the outside) or “internal” (simulating a malicious insider trying to steal information or compromise systems.
- Hardware pen testing. This type of pen testing includes everything from determining whether an organization’s laptops have vulnerabilities to attempting to break into data centers.
- Social engineering pen testing. This is when a cybersecurity expert tries to use social engineering tactics to convince employees to give up sensitive information, fall for false phishing emails, and so on.
Third-party contractors hired to pen-test an organization are often referred to as “ethical hackers.” As part of their contract, they set a scope for a test (“Please try to hack this, but don’t try to hack that”) and follow certain pen testing methodologies, like the Penetration Testing Execution Standard and the NIST SP 800-115.
