A penetration test or pen test is an intentionally planned attack on a software or hardware system seeking to expose the inherent security flaws that may violate system integrity and end up compromising user’s confidential data. In this post, we are discussing different types of penetration tests so that you know what to cover, estimate efforts, execute efficiently.
The scope of a penetration test (i.e. the level of intrusion) derives from the kind of operation you wish to explore on the target system. Therefore, a security tester must think thoroughly and decide upon the most relevant type of penetration test. Hence, knowing about the different types of pen tests is what expected from a good pen tester.
This type of pen test is the most common requirement for the pen testers. It aims to discover vulnerabilities and gaps in the network infrastructure of the clients. Since the network could have both internal and external access points, so it is mandatory to run tests locally at the client site and remotely from the outer world.
The testers should target the following network areas in their penetration tests:
Also, there are a set of software modules which the penetration test should cover are as follows:
It is more of a targetted test, also, more intense and detailed. Areas like web applications, browsers, and their components like ActiveX, Applets, Plug-ins, Scriptlets fall in the scope of this type of pen testing.
Since this test examines the end points of each web apps that a user might have to interact on a regular basis, so it needs thorough planning and time investment.
Also, with the increase in threats coming from the web applications, the ways to test them are continuously evolving.
The goal of these tests is to pinpoint security threats that emerge locally. For example, there could be a flaw in a software application running on the user’s workstation which a hacker can easily exploit.
These may be programs or applications like Putty, Git clients, Sniffers, browsers (Chrome, Firefox, Safari, IE, Opera), and even presentation as well as content creation packages like MS Power Point, Adobe Page Maker, Photoshop, and media players.
In addition to third-party software, threats could be home grown. Using uncertified OSS (open source software) to create or extend home made application could cause severe threats that one can’t even anticipate. Therefore, these locally developed tools should also pass through the penetration test cycle.
This test intends to analyze the wireless devices deployed on the client site. The list of devices include items like tablets, laptops, notebooks, iPods, smartphones, etc. Apart from the gadgets, the penetration tester should consider preparing tests for the following.
Usually, such tests should take place at the customer end. The hardware used to run pen tests need to connect with the wireless system for exposing vulnerability.
This type of test also run as an important part of penetration testing. It paves ways for verifying the “Human Network” of an organization. This pen test imitates attacks which the employees of a company could attempt to initiate a breach. However, it can further split up into two subcategories.
Please note that you must inform the appropriate people before conducting the social engineering penetration test. Also, remember to emulate real world exploit instead of playing a movie scene.