Skip to main content
SolarWinds MSP
  • Login
  • Support
  • Partnerships
    • Partnerships Overview
    • Solution Provider Program
    • Technology Alliance Program
    • Distributor Program
SolarWinds MSP
  • Products
    • Monitoring & Management
    • N-central Automate. Tackle complex networks. Get remote monitoring and management built for efficiency and scale.
    • RMM Start fast. Grow at your own pace. Try this powerful but easy remote monitoring and management solution.
    • Backup
    • Backup Get data protection for servers, workstations, applications, documents, and Microsoft 365 from one dashboard.
    • Security
    • EDR Defend against ransomware, zero-day attacks, and evolving threats with endpoint detection and response.
    • Mail Assure Leverage mail protection and archiving to keep your users safe from email threats and downtime.
    • Passportal Adopt and enforce best practices for password and documentation management with ease.
    • Tools & Services
    • MSP Manager Increase helpdesk efficiency with a robust PSA, ticketing, reporting, and billing management solution.
    • Take Control Help support customers and their devices with remote support tools designed to be fast and powerful.
    • View All
  • Solutions

    Solutions

    • Security Protect your customers and expand your business by offering layered security services without the complexity.
    • Monitoring Choose the right remote monitoring and management solution to meet you where you are and grow with you.
    • Operational Efficiency Boost profits by improving efficiency via automation, resources and training, and time-saving products.
    • IT Departments Keep your organization productive by easily managing IT from a single, easy-to-use, web-based dashboard.
    • Remote Monitoring Solutions Comparison Compare SolarWinds RMM and N-central side by side. Sign up to talk to a specialist to find the right fit.
    • View All
  • Resources
    • Download
    • Resource Library
    • Product Information
    • Free Tools
    • Learn
    • MSP Institute Webinar Series
    • Daily Live Demos
    • MSP Advice Project
    • Ask the N-central Experts
    • Upcoming Webcasts
    • Connect
    • Blog
    • Security Resource Center
    • Events
    • RMM Foundations Training
  • About
    • Company
    • About Us
    • Leadership
    • Careers
    • News & Press
    • Awards & Recognition
    • Support & Policies
    • Customer Success
    • Customer Support
    • Legal
    • Security
    • Get in Touch
    • Contact
    • Get a Quote
    • Worldwide Sales & Support
  • IT Departments
  • Contact Sales
    • Contact Sales
    • General Inquiry
    • Get a Quote
    • Worldwide Sales & Support
    • Talk to Specialist
    • Security Solutions
    • Monitoring Solutions
    • Operational Efficiency
  • Try Now
    • Monitoring & Management
    • N-central
    • RMM
    • Backup
    • Security
    • EDR
    • Mail Assure
    • Passportal
    • Tools & Services
    • MSP Manager
    • Take Control
  • Request a Quote
  • Try Now
    • SolarWinds RMM
    • SolarWinds N-central
    • SolarWinds Backup
    • MSP Manager
    • SolarWinds Mail Assure
    • SolarWinds Passportal
    • SolarWinds Risk Intelligence
    • SolarWinds Take Control
Request quote
Filter Blogs
  • Filter by:
  • MSP Business
    • Automation
    • Backup & Disaster Recovery
    • Security-series
    • Best Practices
    • Business
    • Business Growth
    • Business Risk
    • Cloud Computing
    • Customer Service
    • Cybersecurity
    • Cybersecurity Awareness Month
    • Data
    • GDPR
    • Internet of Things
    • IT Support
    • ITSM
    • LOGICcards
    • Machine Learning
    • Mail
    • Managed Services
    • Marketing
    • Mobile
    • Networking
    • Operations
    • Podcast
    • Product
    • PSA
    • Remote Management
    • Research & Trends
    • Risk Intelligence
    • Security
    • Security Vlog
    • Service Desk
    • Services & Support
    • The Head Nerds
    • Tips & Advice
    • Training
Home Blog MSP Business Security Types of Penetration Techniques and Methods
Security

Types of Penetration Techniques and Methods

By SolarWinds MSP
22 April, 2019

Penetration testing is a critical technique used among managed services providers (MSPs) seeking to provide additional cybersecurity for their clients. By some estimates, a cyberattack is expected to happen every 14 seconds in the US—with total losses estimated to reach $21.5 billion. Penetration testing services can help an organization prepare for hacker attacks, malware, and more by continually and regularly checking for weaknesses, vulnerabilities, and bad user behavior on apps, services, and networks. Read on for a breakdown of penetration testing steps, services, what to expect, and penetration testing tools MSPs must know about this year.

What is penetration testing in cybersecurity?

Penetration testing is a way to “stress test” your IT infrastructure security. Penetration techniques are used to evaluate the safety and security of the network in a controlled manner. Operating systems, services, applications, and even the behavior of the end user is assessed to validate existing defense mechanisms and the efficacy of end-user security policies. 

There are a few reasons to regularly perform penetration tests (or “pen tests”). First and foremost, penetration testing can help ensure user data is secure, identify security vulnerabilities, discover loopholes in the system, and assess the overall strength of existing defense mechanisms. In addition, penetration testing can help a business stay up-to-date with each new software release. As threats evolve, financial and PI data must be secured iteratively—as new devices are added to a system, transferring data among different end points requires constant monitoring and assessment for security compliance.

Likewise, penetration testing has a few key benefits. It allows an MSP to proactively showcase their expertise and skillfully manage vulnerabilities. It saves money by allowing organizations to avoid network downtime. Penetration testing methods can help an MSP’s customers meet regulatory requirements and avoid fines. At the end of the day, it’s also an important tool to preserve an MSP’s image, reputation, and customer loyalty. 

Pen testing may sound similar to a vulnerability assessment, but the two cybersecurity measures are not the same. A vulnerability assessment focuses on identifying security issues within an organization. A list of vulnerabilities is produced from an evaluation of cybersecurity and data storage vulnerabilities. A penetration test, however, uses attack-simulated scenarios in a goal-oriented approach to cybersecurity. The test is designed to hit specific targets, such as a database, storage method, or designated file. The result of a pen test is not only a list, but a methodology and map of specific points of weakness. 

What are the types of penetration testing?

Industry experts generally divide penetration testing into three categories: black box testing, white box testing, and gray box testing. The categories correspond to different types of attacks or cybersecurity threats. 

Black box testing is concerned with a brute-force attack. In this scenario, the simulation is that of a hacker who does not know the complexity and structure of a company’s IT infrastructure. Therefore, the hacker will launch an all-out attack to try to identify and exploit a weakness. The penetration test does not give the tester any information about a web application, its source code, or any software architecture. The tester uses a “trial and error” approach to see where the vulnerabilities exist in the IT infrastructure. This type of penetration testing most closely mimics a real-world scenario, but it can take a long time to complete. 

White box penetration testing is the opposite of this first technique. In white box testing, the tester has full knowledge of the IT infrastructure, with access to the source code and software architecture of a web application. This gives them the ability to zero in on specific parts of the system and perform targeted component testing and analysis. It’s a faster method than black box testing. However, white box penetration testing uses more sophisticated pen testing tools, such as software code analyzers or debugging programs. 

Finally, gray box testing uses both manual and automated testing processes in a scenario in which the tester has partial knowledge of the internal IT infrastructure. The tester might receive the software code, for example, but not the system architecture details. Gray box penetration testing is a hybrid of white box and black box testing, allowing a user to utilize automated tools on the all-out assault while focusing their manual effort on locating “security holes.” 

These overarching types of penetration testing methods can be further subdivided into specific categories. Other types of penetration tests include: 

  • Social engineering tests: The pen test scenario tries to get an employee or third party to reveal sensitive information, such as a password, business data, or other user data. This can be done through targeting help desks or sales representatives through the phone or internet. 
  • Web application tests: The pen test uses software to assess the security vulnerability of web apps and software programs.
  • Physical penetration tests: Mostly used in government sites or other secure facilities, the pen test tries to access physical network devices and access points in a mock security breach.
  • Network services test: This is the most common pen test scenario, in which a user tries to either locally or remotely identify openings in the network. 
  • Client-side test: This is when an MSP tries to exploit vulnerabilities in client-side software programs. 
  • Wireless security test: The pen test identifies open, unauthorized, or low-security hotspots and WiFi networks and tries to infiltrate through them. 

All types of penetration testing should consider both internal and external components of an IT infrastructure. There are different phases of a penetration test that will ensure a holistic and regularly updated approach to an organization’s cybersecurity. 

What are the phases of a penetration test?

There are six generally accepted penetration testing steps. They are planning; reconnaissance and information gathering; scanning and discovery; attack and gaining access; maintaining access and penetration; and risk analysis and reporting. Depending on the frequency and type of penetration testing you wish to perform, these phases may vary slightly from MSP to MSP.

1) Planning for penetration testing 

The first phase of penetration testing involves determining the scope and goals of the test. MSPs must work with their clients to figure out the logistics, expectations, objectives, goals, and systems to be addressed. The planning phase will establish whether you are using a black box, white box, or gray box penetration testing method. 

2) Reconnaissance and information gathering

In this phase, the “hacker” or penetration tester seeks to discover as much information as possible about their target. They will gather information about end uses, systems, applications, and more. The information will be used to be precise in the penetration test, using a complete and detailed rundown of systems to understand what, exactly, needs to be addressed and evaluated. Some of the methods used during this phase may include search engine queries, domain name searches, internet footprinting, social engineering, and even looking up tax records to find personal information.

3) Scanning and discovery

The scanning and discovery phase is built to discover how the target system is going to respond to various attempts at intrusion. The penetration tester will most likely use automated penetration test tools to scan for initial vulnerabilities. Static analysis and dynamic analysis are two types of approaches used by the penetration tester. Static analysis inspects an application’s code in an attempt to predict how it will react to an incursion. Dynamic analysis looks at an application’s code as it runs, providing a real-time view of how it performs. Other aspects that a pen tester will discover include network systems, servers, and devices, as well as network hosts. 

4) Attack and gaining access

Once the pen tester has gained a complete understanding of the scope and components to be tested, they will attack in a simulated and controlled environment. Mimicking an actual cyberattack, the tester may take control of a device to extract data; perform a web application attack, such as cross-site scripting or SQL injection; or perform a physical attack, as mentioned previously. The goal of this phase is to see how far the tester can get into an IT environment without detection. The scope of the project should determine where the limits of the test should end to protect PI and other sensitive data. 

5) Maintaining access and penetration

Once a pen tester has successfully compromised their target, they should try to expand their access and maintain their presence for as long as possible. Again, the goal is to imitate a real-world bad actor as much as possible. The penetration tester in this phase will try to expand their permissions, find user data, and remain stealthy while running their programs deeper into the IT infrastructure. For example, the penetration tester may try to escalate their privileges to the role of administrator. The goal here is to remain undetected in the system for as long as possible and to try to get at the most sensitive data (according to the project scope and goals). 

6) Risk analysis and reporting

The last phase of penetration testing is the assessment and reporting phase. Once the penetration tester has been “discovered,” or the timeline for the project has been completed, a final report will be generated. The report should provide a summary of the testing, details of each step the pen tester took to infiltrate systems and processes, details of all vulnerabilities, how they cleaned up after the stress test, and suggestions for security fixes. A good penetration tester will also be able to determine the value of the compromised systems—i.e., how much financial impact would their incursion cost? To do this, a penetration tester uses some penetration testing tools. 

How long does a pen test take?

A penetration test can take between one and three weeks to perform. The time it takes to complete a penetration test depends on the type of test, the type and number of systems being evaluated, and the strength of your existing cybersecurity. It’s not a process that you should try to rush, since the point is to provide a thorough report of any vulnerabilities.  

How is penetration testing done?

Penetration testing tools can provide the feedback needed to complete the overall cybersecurity assessment. Pen test tools verify security loopholes by scanning data encryption techniques and testing logins and passwords. They resemble some of the tools a real hacker would use to try to infiltrate the system. Automated tools are useful in Black Box and Gray Box penetration testing. 

There are a few categories of penetration testing tools, including port scanners, vulnerability scanners, and application scanners. Port scanners work remotely to gather information and personal data about a target. Vulnerability scanners seek out known vulnerabilities in both network hosts and networks overall. Application scanners check for weaknesses in web-based applications. 

While it is possible to do your own penetration testing, this isn’t the most effective route to take as it’s time consuming, difficult to perform, and requires in-depth security skills and knowledge. But if you would like to use a penetration tool, there are some key characteristics to assess when selecting your software or program. 

When selecting a penetration tool, make sure the tool is easy to deploy and configure to your unique needs. The penetration tool should scan your system easily and be able to reverify any previous red flags. The tool should be able to categorize and rank vulnerabilities based on their severity, prioritizing for you what needs to be fixed immediately. There should be an automation aspect that verifies vulnerabilities for you, generating detailed logs. 

If you’re looking for further guidance, read through our resource center for other helpful information related to cybersecurity.

 

Additional Resources

  • White Paper: The Cybersecurity Blueprint
  • The Do's and Don'ts of DIY Penetration Testing
  • 7 Most Common Types of Security Breaches And How To Prevent Them
You might also like...
Security

February 2021 Patch Tuesday: Many “Exploitation More Likely” and an update to a Netlogon fix from last year

Security

What Do Auto Racing and EDR Have in Common?

Automation

What the Head Nerds Were Up to in 2020

Security

January 2021 Patch Tuesday: One Actively Exploited Vulnerability and a Few Likely to Be

Security

December 2020 Patch Tuesday—A quiet(er) finish to a busy year in vulnerabilities

Security

Documentation Management API and Why It’s Important for the MSP Business

Want to stay up to date?

Get the latest MSP tips, tricks, and ideas sent to your inbox each week.

Loading form....

If the form does not load in a few seconds, it is probably because your browser is using Tracking Protection. This is either an Ad Blocker plug-in or your browser is in private mode. Please allow tracking on this page to request a subscription.

Note: Firefox users may see a shield icon to the left of the URL in the address bar. Click on this to disable tracking protection for this session/site

Recent Posts
  • Three things I learned working for an MSP
  • Earning word-of-mouth referrals for your IT business
  • Backup automation part 1: Deploying backup devices
  • Ultimate Guide: MySQL Backup
  • Most common automation requests and how to solve them: Ep 2
Categories:
  • Security (240)
  • Tips & Advice (130)
  • Best Practices (97)
  • Backup & Disaster Recovery (96)
  • Managed Services (89)
  • The Head Nerds (82)
  • Business Growth (79)
  • IT Support (43)
  • Business (41)
  • Automation (40)
  • Operations (38)
  • Cybersecurity (37)
  • Mail (33)
  • Remote Management (30)
  • ITSM (26)
  • Networking (22)
  • Cloud Computing (21)
  • Data (21)
  • Marketing (15)
  • PSA (13)
  • Product (11)
  • Service Desk (6)
  • Services & Support (5)
  • Mobile (4)
  • Risk Intelligence (4)
  • GDPR (3)
  • Internet of Things (3)
  • Customer Service (3)
  • Research & Trends (2)
  • Training (2)
  • Business Risk (1)
  • LOGICcards (1)
  • Cybersecurity Awareness Month (1)
Show moreless
SolarWinds MSP

Products
  • SolarWinds RMM
  • SolarWinds N-central
  • SolarWinds Backup
  • SolarWinds EDR
  • SolarWinds MSP Manager
  • SolarWinds Mail Assure
  • SolarWinds Risk Intelligence
  • SolarWinds Take Control
  • SolarWinds Passportal
  • All Products Use Cases
Solutions
  • Security Solutions
  • Monitoring Solutions
  • Efficiency Solutions
  • Identify which RMM solution is right for me
  • Drive Efficiency with Automation
  • Manage my MSP Business More Efficiently
  • Manage my IT Department More Efficiently
  • Layered Security
  • Cross-Platform Support
  • Data-Driven Insights
About
  • About Us
  • Careers
  • Newsroom
  • Leadership Team
  • Upcoming Events
  • Subscription Preferences
  • SolarWinds
  • SolarWinds Trust Center
  • COVID-19 Response
Support
  • SolarWinds RMM
  • Solarwinds N-central
  • SolarWinds Backup
  • SolarWinds Mail Assure
  • SolarWinds Take Control
  • SolarWinds MSP Manager
  • Solarwinds Risk Intelligence
  • Solarwinds Threat Monitor
  • SolarWinds Passportal
  • SolarWinds Take Control Downloads
  • Backup & Recovery Downloads
  • Service Status

Footer 2

  • Legal Documents
  • Privacy
  • California Privacy Rights
  • Security Information
  • Sitemap

© SolarWinds MSP Canada ULC and SolarWinds MSP UK Ltd.
All Rights Reserved.