What is the main purpose of penetration testing

Purpose of penetration testing

The purpose of a penetration test is to uncover vulnerabilities that can then be fixed. There are many attack surfaces that can be used by threat agents (hackers), including software and system bugs, coding errors, poor passwords and bad security practices in general. Many of these can be rectified simply by updating everything regularly, but often people don’t realise exactly what that means. Here’s an example. There is a LOT more to it than this, but you’ll get the idea:-

You need to use a website securely to do some banking, how can you make sure it is secure?

Let’s start at your end

You

Who can see over your shoulder?
Have you chosen a good password for the computer?
Have you chosen a good password for the bank?
Who else knows your passwords?
Have you thought about the Website you’re going to use; how do you know it’s legitimate?

Your Hardware

Who does the computer you are using belong to? What can they see?
Is your keyboard secure? Some wireless & wired keyboards can be ‘tapped’.
How old is the BIOS? Are there vulnerabilities in it?

Your Browser

Is the browser secure and up to date? Or could there be vulnerabilities in it?
Are there any plug-ins working in the background? What are they doing?
Is the browser talking directly to the bank? Or is it going somewhere else first?

Your Operating System

Does the operating have any vulnerabilities? How do you know?
What are all those services and programs doing? Are they safe? Or do they have vulnerabilities?
Who or what else is connected to the operating system? What access do they have?

Your Network

Is your wireless connection secure? How do you know? Can it be eavesdropped?
Is the router secure? Does it have a good admin password? Are there other users that may not?
Does the router/firewall software have any vulnerabilities in the code?
Does the router/firewall have any vulnerabilities in the firmware?

The Internet

Where does your data go when it leaves your router? Is it safe? Who’s listening?
Is the traffic encrypted? Is it encrypted well enough? Who can decrypt it?

The Website

Does the Website have any errors in the code? How do you know?
Is the Website using third-party plug-ins that are safe? Are they up-to-date?
What language is the website using? Is that up to date?

The Web Server

What webserver is hosting the site? Are there vulnerabilities in the code?
Who has access to the web server? What are their passwords like?

The Server O/S

What operating system is it running on? Is that error-free?
What else is running on the server? Is that safe?
Who has access to the server? By what means?

The Database Server

The web server will connect to a database. Is it safe, patched and up to date?
What else is running on the database server?
Who has access to it?

The Database Server Operating System…
The Hardware…
The Network…

What does penetration testing involve?

The job of a pentester is to look at every element in the chain to figure out which parts of the system might be susceptible to attack. In the example above a pentester would discover as much about the entire process as possible, right from what the browser looks like, to what server the database runs on. In virtually all cases this is done by utilising already known vulnerabilities, which is why keeping everything as up to date as possible is so important. They will essentially ask some of the questions above and use special tools to extract some of the information. Sometimes pentesters work in teams and sometimes they work alone. The goal of a pen-test differs depending on the circumstances i.e. often the goal is to ‘gain root’, which means to hack an account with full administrative privileges, but sometimes the goal is just to try to extract information that shouldn’t be visible.

Get in touch

Speak to one our Cyber Security Experts Today

020 3778 2030

hello@unitymetrix.com

Recent Articles

Elevating SOP International’s Cybersecurity Posture

Client Overview: SOP International, a rapidly growing and thriving business, recognized the critical importance of cybersecurity in safeguarding its operations against the increasing threat of security breaches. With a proactive approach, the CEO sought to fortify...

Enhancing Global IT Infrastructure for Svenska Petroleum

Background Svenska Petroleum, an international oil and gas exploration company, faced significant challenges in managing their global IT infrastructure. With operations spread across Sweden, Norway, England, and Guinea Bissau, Svenska Petroleum struggled with high...

Chamberlyns Case Study: Demonstrating Leadership in Financial Planning through Cybersecurity Excellence

Overview: Chamberlyns, a Chartered and Accredited Financial Planning Firm, recognized for their success and commitment to client service, sought to further distinguish themselves in the competitive financial sector. Their objective was clear: to showcase a mature and...

Aura Media Case Study: Elevating Cybersecurity for Business Growth

Overview: Aura Media, a dynamic start-up poised at the forefront of the digital sector, recognized early on the critical role of data in securing profitability and growth. With a director knowledgeable in technical and GDPR aspects, Aura Media had initiated...

Risk
Reduction

Trusted
Expertise

24/7
Support

Pain-Free
Compliance

Latest Articles

We specialise in all aspects of cyber security!

Acunetix web vulnerability scanner

How Acunetix Works Acunetix works in the following manner: Acunetix DeepScan analyses the entire website by following all the links on the site, including links which are dynamically constructed using JavaScript, and links found in robots.txt and sitemap.xml (if...

Do I need a penetration test?

Do I need a penetration test? If you have a website that takes information about users… If you have a website that takes credit cards… If you have an internal system that shares personal information with external bodies… If you develop systems that will hold personal...

Why is penetration testing required and why is it so important?

Penetration testing is required for two main reasons: Everyone makes mistakes! In Microsoft Windows for instance there are over a 50 million lines of code, there are definitely going to be mistakes, and some can be costly. Hackers actively look for those mistakes....

What does vulnerability scanning do?

Vulnerability scanning is the process of scanning software and systems for known vulnerabilities.

How do you perform a vulnerability scan?

How do you perform a vulnerability scan? A vulnerability scan is performed by a piece of software that resides either on a system inside the network, or more often on a cloud service. Modern scanners are very powerful and have a lot of automation built-in, so for a...

Vulnerability scanning

What does vulnerability scanning do? Vulnerability scanning is the process of scanning software and systems for known vulnerabilities. A vulnerability scanner will maintain and refer to a massive database of known vulnerabilities in order to compare and classify...

Datto ALTO 3 Explained

Datto SIRIS Explainer

What is a virtual CISO? When and how to hire one

Chief information security officers (CISOs) are in high demand, and good ones are expensive and difficult to find. Following a rash of high-profile data breaches, and knowing that such breaches have far-reaching consequences that are far more costly than the cost of...

Get in Touch

Have any questions or need assistance? Fill out the form below and one of our helpful and friendly cyber security experts will get back to you promptly.