Ethical hacking or ‘penetration testing’ is when businesses hire a white-hat hacker to hack into their systems and find any sensitive information. It may seem unorthodox but the reasoning behind it is quite resourceful. The main purpose of a penetration test is to locate any weak areas within the businesses security system. The idea behind it is ‘in order to catch a hacker, you must think like one.’ Because of this, it allows businesses or organisations to be one step ahead of the criminals.
How to prepare for a penetration test
1. First things first – Get approval.
This is very important, you’ll need a formal approval from the business in order to conduct a penetration test. Most businesses won’t be pleased to hear that their system was hacked. Whether it’s a by a cyber criminal or an ethical hacker, especially without their knowledge.
Getting conformation isn’t straightforward, it involves a discussion between the senior staffs of the organisation and the testers. This discussion should include which parts of the business’ system they want to test, which will most likely be one of these four:
- Network penetration testing: Ethical hackers attempt to infiltrate an organisations security system remotely via the internet.
- Web application penetration testing: This tests include testing user authentication, checking web applications for defects and safeguarding web and database server security.
- Wireless penetration testing: A wireless pen test consists of the ethical hacker identifying Wi-Fi networks, Determining encryption weaknesses and identifying users’ identities and credentials.
- Simulated phishing: This is a test to see if employees are susceptible to phishing attacks.
The agreement should be documented with the rules of the testing which describes what the team is and isn’t allowed to do, and protects the them if any issues occur during their work.
2. Decide what type of penetration test you want to carry out
Zero knowledge testing: This is when the hacker has no knowledge of the business or organisation.
Partial knowledge testing: The testers are given little information that’s given to them such as the systems, IP addresses, network configurations and any other relevant details.
Full knowledge testing: The hacker is given all necessary information. Mostly common with internal testers.
Blind testing: A blind test is when it’s carried out without the knowledge of the business’ administrators.
Double blind test: The administrators and the security have no knowledge of the test
3. Pick a team to carry out the test
It’s ideal to have a team of experts with different areas of expertise. And decide who would be best for a specific task. This is something PCW Solutions can organise but since it’s so costly we only recommend it if it’s necessary for big businesses.
4. Use accurate Tools
The type of tools you use should align with the type of test you’re conducting. If you’re doing a double blind test you will need to use discreet and subtle tools and techniques. whereas if you need to be agile you might use notable tools.
Following these steps, a sufficient penetration test can be done.
Read our last article on how How To Set Up Your Disaster Recovery Plan