Penetration Testing: Questions answered


1. Why perform penetration testing?

One should understand that penetration testing is an instrument for getting additional information regarding the systems’ state of security. A penetration test shows where hackers may breach one’s system; hence, this information can be used to support the decision-making process when implementing protection mechanisms.

In a nutshell, penetration testing would help with:

  • Vulnerability analysis for the target system,
  • Assessment of the loses due to a potential breach,
  • Gaining an unbiased view on the state of the system and protection mechanisms,
  • Gaining insight on the qualification of the internal security staff.

2. Who should perform penetration testing?

Penetration testing should be performed by third party independent professionals to ensure unbiased, quality results.

One should also consider the ethical aspect, and only hire teams with a proven reputation in the field. Otherwise, information about companies’ critical vulnerabilities may be leaked to competitors.

3. When is the best time to perform penetration testing?

The best time to perform penetration testing is after the implementation and configuration of a new system. One should apply all the security mechanisms according to the best practices and legal and regulatory requirements before undergoing a penetration test; otherwise the necessity of such an exercise would be questionable.

4. Who would benefit from penetration testing?

Organizations that realise the importance of information security and protection of information assets would highly benefit from penetration testing.

Banks and insurance companies are not the only ones on this list. There is nothing more valuable that human life, which is why penetration testing could be valuable for transport and energy companies.

But what if a company is not large enough for the system breach to cause a crisis or substantial financial losses? Even in these cases, penetration testing may prove to be useful. Small and medium-sized enterprise are likely to have a website which helps to sell goods or services. Losses due to a system breach could substantially harm their reputation and competitive advantage.

5. What penetration testing approaches are there?

White box: where the penetration testing team already has some initial information on the system, including the range of IP addresses, ports, source code, hardware and software components, etc.

Black box: where the penetration testing team has no information on the system at all. The team has to model a potential hacker’s actions from the ground up. In doing so, they might, for example, use social networks to find victims of social engineering. This approach is usually more expensive and requires more time.

6. Can a penetration test reveal no vulnerabilities?

One should understand that there are no systems that are absolutely secure. The absence of the vulnerabilities might indicate a poor choice of a penetration testing team.

7. Penetration testing: only a set of tools?

One may think that penetration testing is limited to running several vulnerability scanners, password cracking utilities, traffic sniffing tools, etc., which are, no doubt, the main tools that are used by penetration testing professionals. These are, however, only limited to aiding the expert in finding weaknesses. A comprehensive and robust penetration test mainly relies on the expert’s skills and experience.

8. Can common software be used as a penetration testing tool?


For example, people who frequently type in two or more languages may choose to use the software, which automatically changes the keyboard language (e.g. Punto Switcher). This piece of software can be used as a keylogger. Every keystroke would be saved in a special text file.

9. What can ARP-attacks reveal?

Successful ARP-attacks might signal the incorrectly configured network devices. Nowadays, almost all network devices might be configured to identify anomalies.

10. Can a penetration test be performed to discover vulnerabilities, which don’t lead to significant financial losses?

Yes, it can.

An attacker might not be motivated by the financial gain, but still can cause some harm. For example, a company might use network printers. Each printer would have it’s own IP address with the open 9100 port. An attacker might:

  • discover the printers’ addresses by scanning the network
  • remotely connect to a printer using the ‘telnet <printer’s IP address> 9100′ command
  • print messages at his / her own choice.

11. What should one expect as a result of the penetration test?

A company that orders penetration testing must receive the following full descriptions on:

  • The penetration testing activity and its stages.
  • What tools were used
  • The vulnerabilities discovered
  • The exploited vulnerabilities
  • The likelihood and risk of the identified vulnerabilities and their potential impact
  • The recommendations on how to mitigate the outlined vulnerabilities

Image courtesy of hywards/