Penetration tests are vital components of vulnerability management programs. In these tests, white hat hackers try to find and exploit vulnerabilities in your systems to help you stay one step ahead of cyberattackers.
Because these tests can use illegal hacker techniques, pentest services will sign a contract detailing their roles, goals, and responsibilities. To make sure the exercise is effective and doesn’t inadvertently cause harm, all parties to a pentest need to understand the type of testing to be done and the methods used. This will not only help better test the architectures that need to be prioritized, but it will provide all sides with a clear understanding of what is being tested and how it will be tested.
Here we’ll discuss penetration testing types, methods, and determining which tests to run. For an overview of our pentest coverage, start with What Is Penetration Testing? Complete Guide & Steps.
7 Types of Penetration Testing
Here we’ll cover seven types of penetration tests. As enterprise IT environments have expanded to include mobile and IoT devices and cloud and edge technology, new types of tests have emerged to address new risks, but the same general principles and techniques apply.
Additionally, tests can be internal or external and with or without authentication. Whatever approach and parameters you set, make sure that expectations are clear before you start.
While many penetration testing processes begin with reconnaissance, which involves gathering information on network vulnerabilities and entry points, it’s ideal to begin by mapping the network. This ensures the entirety of the network and its endpoints are marked for testing and evaluation.
1. Network tests
Some organizations differentiate internal from external network security tests. External tests use information that is publicly available and seek to exploit external assets an organization may hold. On the other hand, internal tests simulate attacks that come from within. These try to get in the mindset of a malicious inside worker or test how internal networks manage exploitations, lateral movement and elevation of privileges.
Internal and external network testing is the most common type of test used. If an attacker can breach a network, the risks are very high. Penetration testers will try to bypass firewalls, test routers, evade intrusion detection and prevention systems (IPS/IDS), scan for ports and proxy services, and look for all types of network vulnerabilities.
2. Social engineering tests
Social engineering is a technique used by cyber criminals to trick users into giving away credentials or sensitive information. Attackers usually contact workers, targeting those with administrative or high-level access via email, calls, social media, and other approaches.
Most cyberattacks today start with social engineering, phishing, or smishing. Organizations that want to ensure that their human security is strong will encourage a security culture and train their workers. But a fundamental component of an effective human security culture is putting it to the test. While automated phishing tests can help security teams, penetration testers can go much further and use the same social engineering tools criminals use.
Penetration testers may run these simulations with prior knowledge of the organization — or not to make them more realistic. This also allows them to test an organization’s security team reaction and support during and after a social engineering attack.
3. Web application tests
Web-based applications are critical for the operation of almost every organizations. Ethical hackers will attempt to discover any vulnerability during web application testing and make the most of it. The goal of the test is to compromise the web application itself and report possible consequences of the breach.
Web application tests include web apps, browsers, ActiveX, plugins, Silverlight, scriptlets, and applets. Languages used in the test include Java, PHP, .NET, and others. Application programming interfaces (APIs) are also part of this test, along with XML, MySQL, Oracle, and other connections and systems. If web applications are mobile, they also need to be tested in their environments.
These tests are complex due to the endpoint and the interactive web applications when operational and online. Threats are constantly evolving online, and new applications often use open-source code. This presents several challenges. Code is not always double-checked for security, and evolving threats continuously find new ways to break into web applications. Penetration testers have to take into consideration all of these elements.
See the Top Web Application Firewalls
4. Wireless networks and websites
Companies rely on wireless networks to connect endpoints, IoT devices and more. And wireless networks have become popular targets for cyber criminals. Penetration testers will verify wireless encryption protocols, check for beacons, confirm traffic, search for access points and hotspots, and MAC address spoofing.
Wireless networks are often neglected by security teams and managers who set poor passwords and permissions. Penetration testers will try to brute force passwords and prey on misconfigurations. Penetration tests also make sure the system is safe from denial-of-service (DoS) attacks, where sites are flooded with traffic to force them to crash.
Finally, as companies embark on digital transformation and modernization, threats to IoT, sensors, cameras, mobile devices, and other endpoints intensify. Hackers will try to access critical assets through any of these new points, and the expansion of the digital surface works in their favor. Therefore, penetration tests that cover wireless security must be exhaustive.
5. Physical and edge computing tests
Not every threat to a company happens remotely. There are still many attacks that can be accelerated or only done by physically hacking a device. With the rise of edge computing, as businesses create data centers closer to their operations, physical testing has become more relevant.
White hat hackers will test door security systems, access cards, locks, cameras, and sensors as well as attempt to impersonate personnel. They will also verify how safe devices, data centers, and edge computer networks are when an attacker can physically access them. These tests can also be executed with the full knowledge of the security team or without it.
6. Cloud security tests
Private and public clouds offer many benefits for companies, but they also give cyber criminals opportunities. Many organizations have business-critical assets in the cloud that, if breached, can bring their operations to a complete halt. Companies may also store backups and other important data in these environments.
While cloud vendors offer robust built-in security features, cloud penetration testing has become a must. Penetration tests on the cloud require advanced notice to the cloud provider because some areas of the system may be off-limits for white hat hackers.
Cipher explains that penetration testing in the Microsoft Cloud must comply with the Microsoft Cloud Unified Penetration Testing Rules of Engagement, and while running a pentest on Amazon Web Services (AWS), organizations must fill out the AWS Vulnerability — Penetration Testing Request Form.
Cloud penetration tests will examine security, applications and APIs, access, storage, encryption, virtual machines (VMs), operating systems (OSs) and updates, Secure Shell (SSH) and Remote Desktop Protocol (RDP) remote administration, and misconfigurations and passwords.
7. Red team vs. blue team
Penetration tests often engage in a military-inspired technique, where the red teams act as attackers and the blue teams respond as the security team. This holistic approach allows for penetration tests to be realistic and measure not just the weakness, exploitations, and threats, but also how security teams react.
While some organizations hire experts to act as blue teams, those who have in-house security teams can use this opportunity to upskill their workers. Security teams can learn how to respond more rapidly, understand what an actual attack looks like, and work to shut down the penetration tester before they simulate damage.
There are many variations of red and blue team tests. Blue teams can be given information about what the attacker will do or have to figure it out as it happens. Sometimes the blue team is informed of the time of the simulation or penetration test; other times, they are not. Penetration testers can give insights on how in-house security teams are responding and offer recommendations to strengthen their actions using this technique.
- Red Team vs Blue Team vs Purple Team: Differences Explained
- How to Implement a Penetration Testing Program in 10 Steps
- Penetration Testing Phases & Steps Explained
Penetration Testing Methods and Approaches
There are three main testing methods or approaches. These are designed for companies to set priorities, set the scope of their tests — comprehensive or limited — and manage the time and costs. The three approaches are black, white, and gray box penetration tests.
Black box penetration tests
Black box penetration tests are the most complex to execute. In these tests, the organization does not share any information with the pen tester. The tester will have to identify and map the full network, its system, the OSes, and digital assets as well as the entire digital attack surface of the company.
Due to their complexity and time-consuming characteristics, black box tests are among the most expensive. They can take more than a month to complete. Companies choose this type of test to create the most authentic scenario of how real-world cyberattacks operate.
White box penetration tests
In a white box test, the organization will share its IT architecture and information with the penetration tester or vendor, from network maps to credentials. This type of test commonly establishes priority assets to verify their weaknesses and flaws.
White box tests are also known as crystal or oblique box pen testing. They bring down the costs of penetration tests and save time. Additionally, they are used when an organization has already tested other parts of its networks and is looking to verify specific assets.
Gray box penetration tests
Gray box testing, or translucent box testing, takes place when an organization shares specific information with white hat hackers trying to exploit the system. Gray box tests usually attempt to simulate what an attack would be like when a hacker has obtained information to access the network. Typically, the data shared is login credentials.
To avoid the time and costs of a black box test that includes phishing, gray box tests give the testers the credentials from the start. These tests also simulate internal attacks. The goal of this test is not to test authentication security but to understand what can happen when an attacker is already inside and has breached the perimeter.
How to Determine What Tests to Run
The type of test an organization needs depends on several factors, including what needs to be tested and whether previous tests have been done as well as budget and time. It is not recommended to begin shopping for penetration testing services without having a clear idea of what needs to be tested.
Each type of test is designed for a specific purpose. The first question any organization needs to ask is what assets are business-critical for their operations. Once the critical assets and data have been compiled into an inventory, organizations need to look into where these assets are and how they are connected. Are they internal? Are they online or in the cloud? How many devices and endpoints can access them?
Knowing what is critical for operations, where it is stored, and how it is interconnected will define the type of test. Sometimes companies have already conducted exhaustive tests but are releasing new web applications and services. In this case, they should consider running white box tests to only test the latest apps. Penetration testers can also help define the scope of the trials and provide insights into the mindset of a hacker.
Bottom Line: Types of Penetration Testing
Ultimately, the types of penetration tests you choose should reflect your most important assets and test their most important controls. Well chosen test parameters can give you the most important information you need — while leaving some budget for the inevitable cybersecurity improvements a good pentest report will recommend.
It’s essential that penetration tests not just identify weaknesses, security flaws, or misconfigurations. The best vendors will provide a list of what they discovered, what the consequences of the exploit could have been, and recommendations to strengthen security and close the gaps. Penetration tests play a vital role in cybersecurity and have proven critical for businesses to keep up to date with the ever-evolving global threat landscape.
Get the Free Cybersecurity Newsletter
Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices.