How does pen testing work?

In Information Security ByTeam Acumin / 12th February 2016

Penetration testing, more commonly referred to as ‘pen testing’ is a method of network testing used to combat network intrusion from outside sources, such as hackers and cyber criminals.

Ethical hacking

Pen testing is often thought of as a form of ‘ethical hacking’, and is commonly used by companies of all sizes to perform a range of security tests on a network system. A number of different methodologies are used in pen testing, in order to explore a network fully, identify any possible vulnerabilities that may be present, and confirm or disprove any perceived threats to the network system.

When pen testing is executed correctly, the results of the procedure will allow network experts to come up with recommendations for fixing any security problems inherent within the network, so the main purpose of performing a pen test is basically to improve the security of a network, whilst also providing protection for the network and any devices that may be connected to it, whether in the present or the future, whenever attacks on the system may be tried.


One of the things that pen testing does best is identify network weaknesses, which is what makes pen testing so different to performing a vulnerability assessment. A pen test, unlike a vulnerability assessment, uses various methods to legally exploit the network, in order to prove that a security threat really exists and could pose a risk. A vulnerability assessment, on the other hand, simply refers to a network system evaluation process, which looks for any potential security risks.

Simulation attack

During a penetration test, a simulation of an identical scenario to one a hacker would use to penetrate the network system is used. It is therefore important that anyone who is tasked with carrying out a pen test has the correct authorization before doing so. The test also needs to be thoroughly planned so as not to disrupt daily operations.

How does it work?

There are numerous steps that need to be followed when carrying out pen testing, but the most important is the planning phase. During this critical period, network professionals must carefully review network specifications, user documentation, network usage and other relevant data so that they can design a series of test cases that will help them determine the security status of a network system.

Network interfaces

One of the things pen testers will do is gather information from network interfaces that exist between software and the outside environment. This generally includes factors like application programming, user interfaces and other input points that are likely to be a target for security exploits.

If these interfaces are incorrectly designed, it’s all too easy for hackers to gain access to the network, which is why monitoring them is an important part of pen testing.

Errors and user alerts

Another thing that network professionals will look at during pen testing are the dialogues linked with user alerts and error messages. This is information that can be passed to an external user via various pieces of software, so it is vulnerable to abuse.

For example, an external user who has malicious leanings could use this information for unethical purposes, collecting data that will allow them to exploit the system, so it is important that testers identify the kind of information being given out in these dialogues, as well as how these dialogues are being given.

Disaster scenario identification

In the initial planning phase of pen testing, network professionals will identify numerous worst-case scenarios in order to work out how a network attack would likely pan out. This information is gathered from particular network threat models and previously identified exploits, if there are any.

Information gathered during the initial planning phase is used to help network professionals through the pen testing process, which focuses on variation to locate different aspects in software apps and the external environment.

These aspects are then varied to determine responses. This process helps to ensure that software apps are able to perform under normal and abnormal circumstances alike.

In terms of overall security, the main locations from which variations are able to expose security issues are in user input, the network environment made up of system resources, applications and files, and internal logic and data within the network system. When information is varied during pen testing, security issues are both identified and confirmed so that experts can fix any problems and increase security.

An ongoing process

It is important to note that pen testing is not something a company can get away with doing once or twice. The process must be carried out on a regular basis if companies are to keep on top of cyber security threats. Hacking techniques develop very quickly, and cyber security criminals are becoming ever more sophisticated in their methods of attack.

It is particularly important to carry out penetration testing and assessments each and every time a new application is put into use within the network system, especially if said application is to be used to handle sensitive data that would be highly sought after by cyber criminals and hackers, as this could help to prevent an inadvertent data breach that could put a company in a tough position.

Hiring a network security professional

Pen testing is also something that absolutely must be carried out by a fully trained network security professional who has the relevant qualifications to carry out penetration testing and various other network assessments.

This is so important because a poorly executed pen test could leave an organization vulnerable to attacks, which would be detrimental to their daily operations and, as a result, their business.

By having a correctly performed pen test carried out, companies of all shapes and sizes can prevent data breaches and ensure that their data, and that of their customers, is kept out of the hands of those who would seek to exploit it. This has never been more important, as the alarming data breaches of the likes of Talk Talk, Vtech and Ashley Madison have recently shown.