Penetration testing, also known as pen testing or ethical hacking, is a simulated cyberattack on a computer system, network, or other facility, performed to evaluate its security. The goal of pen testing is to identify vulnerabilities and weaknesses in the system, and to provide recommendations for improving its security. Penetration testers use the same tools, techniques, and processes as attackers, and they may be given varying degrees of information about or access to the target system, depending on the goals of the test.
Penetration testing is a proactive cybersecurity measure that can be adapted to any industry or organization. It is typically performed by testers known as ethical hackers, who use hacking methods to help companies identify possible entry points into their infrastructure. Pen testing can be used to identify hackable systems, attempt to hack a specific system, or carry out a data breach.
Penetration testing is an essential component of a full security audit, and it can support risk assessments as outlined in the NIST Risk Management Framework SP 800-53. For example, the Payment Card Industry Data Security Standard requires penetration testing on a regular schedule and after system changes. A comprehensive approach to pen testing is essential for optimal risk management, and there is no one-size-fits-all tool for pen testing. Instead, different targets require different sets of tools for port scanning, application scanning, Wi-Fi break-ins, or direct penetration of the network.
Penetration testing uses both automated and manual processes to uncover known and unknown vulnerabilities. Because pen testers actively exploit the weaknesses they find, they are less likely to turn up false positives. Penetration testing services are usually provided by third-party security experts, who approach the systems from the perspective of a hacker, and they often uncover flaws that in-house security teams might miss.
In summary, penetration testing is a simulated cyberattack on a system, network, or other facility, performed to evaluate its security. It is a proactive cybersecurity measure that can be adapted to any industry or organization, and it is typically performed by testers known as ethical hackers. Penetration testing is an essential component of a full security audit, and it can support risk assessments.
