Penetration testing, or “ethical hacking,” is a method of exposing and purposefully exploiting the security vulnerabilities of a company’s systems. Unlike security tests that use automated programs to identify these vulnerabilities, penetration testing requires highly-trained specialists to analyze the system, find their weaknesses, and use them to access protected information.
The human element of penetration testing is the most important. While a computer program can only perform the tasks with which it has been programmed, a human being can analyze new information and think of solutions that haven’t been thought of before. What’s more, a human is able to want – to feel a drive and a motivation that fuels the search for a way in.
Penetration Testing History – A Timeline
The concept of penetration testing has been around since human beings first began trying to understand their enemies’ thought processes. Ancient armies all over the world conducted mock battles and games to figure out how other armies might undermine their strategies or get around their forces. This continued for centuries upon centuries until, inevitably, the tech world got in on the act.
The Tiger Teams
Penetration testing first became a concept in the 1960s. The burgeoning tech industry realized then that having multiple users on one system, as had become the norm, posed an inherent risk to the system’s security.
This realization gave rise to what became known as “Tiger Teams.” Unsurprisingly, the first of these worked for the government and military. In 1971, the US Air Force ordered security testing of time-shared computer systems.
The 1980s
In 1984, the US Navy got in on the ethical hacking action when a team of Navy Seals worked to evaluate how easily terrorists could access different naval bases. Around the same time, the US government was starting to come down on illegal hackers. One result of this process was the Computer Fraud and Abuse Act, which specified that particular ethical hacking techniques were only allowed under a contract between hacker and client organization.
The 1990s
As hacking became more advanced, so did penetration testing. In 1995, Dan Farmer of Sun Microsystems and Wietse Venema of the Eindhoven University of Technology released a paper entitled “Improving the Security of Your Site by Breaking Into It.”
Farmer and Venema described the emergence of the “uebercracker,” a hacker who had evolved beyond the ordinary and had learned to develop his own hacking programs. This person can discover bugs in the most advanced security systems and can get in and out of a system without leaving a trace. They showed rather than told the importance of a system owner’s looking at his or her own system in the way a hacker might, thus laying the groundwork for contemporary penetration testing.
In the same year, John Patrick of IBM termed this process “ethical hacking.”
The 2000s
After the turn of the new millennium, penetration testing finally began to solidify as a discipline. In 2003, the Open Web Application Security Project (OWASP) published its Testing Guide, which delineated the industry’s first set of best practices. Six years later, the Penetration Testing Execution Standard (PTES) offered providers of penetration testing services with a set of common practices.
…And Today
In 2013, calculations revealed that spending on enterprise security had exceeded $6 billion. Skilled ethical hackers now have a marketplace that desperately needs what they are able to do, so long as employers continue to realize how important it is to stay secure against the smartest attackers.
Why Penetration Testing Matters
Systems and software are always changing, and new security protocols are evolving all the time. But a security system’s advanced nature doesn’t make it invulnerable; it just means that the system can now guard against attack types that have already happened.
Hackers are just as innovative and just as committed to effectiveness as the people who develop security systems. Companies need penetration testing to approach systems with this same determination and skill but without the intent to do actual harm to the organization.
Know Thine Enemy
Now that “data breach” has become a household term, threat detection, response, and prevention systems have become more in-depth across multiple industries. What is still missing from many such systems, however, is specific knowledge of what these threats look like. We don’t know how to make our systems stronger if we don’t know where the weaknesses are.
This is where penetration testing comes in. By running simulated attacks and figuring out how a smart hacker could bypass existing security protocol, an organization can identify what parts of the system need strengthening, as well as how to respond effectively if a hacker does break through those barriers.
Identify the Real Threats
You may have heard about a certain attack vector or sequence of attack vectors. It might be possible to take that rumor as gospel and develop protections against those vectors, but who’s to say that the actual threat might come from a different vector? Or even a different sequence of the same vectors?
An ethical hacker can check on the sequence that a company feels is most threatening and either
-
pinpoint where the threat is, or
-
determine that you should be more worried about a different vector entirely.
The same ethical hacker can also take a look at vulnerabilities that the company thought were not as threatening and figure out if a traditional hacker could combine them in a way that accesses the system.
Identify Cause and Effect
Penetration testing can help a company not only to identify how a hacker might access the system but also to see what the impacts could be on business operations. This information is invaluable to the development of a company’s threat response and prevention strategy.
Penetration Testing Risks and Benefits
No process is perfect, and penetration testing does have its risks. Most of the risks, however, come from poorly conducted ethical hacking.
Readiness for Tests, Not Attacks
It’s great for staff members to feel safe, but the company doesn’t want them to get complacent. If their supervisor announces that they are doing penetration testing, the staff might fall into the trap of preparing for the test and then feeling overly secure when they pass.
The company could get around this by offering unannounced pen-testing. These kinds of tests are only on the radar of upper management, so they get a better sense of how prepared a security staff actually is.
Potential Damage to a System
If a penetration testing professional doesn’t have the proper training and experience, his or her attempts to access a system could cause the same damage as an actual attack. This includes:
-
sensitive data becoming compromised
-
servers crashing
-
systems becoming corrupted
These risks are also present if an ethical hacker isn’t actually ethical at all. These people do exist, so companies have to be careful and hire only credentialed professional penetration testers.
Start a Career in Penetration Testing
If you’d like to be one of the people that companies trust to perform penetration testing services, your first step is to pursue penetration testing training and secure a well-respected industry certification.