How and why ‘pen testing’ will continue to play a key role in cybersecurity

Originally published on The Last Watchdog.

When we look at society today, we can see that we are moving further and further ahead with technology. Numerous advancements are being made at an extremely fast pace with no sign of slowing down. In fact, there is evidence that technology grows exponentially fast. Since we are quickly putting out large technologies, security risks always come with this.

Even large companies are not immune to this. Microsoft has had several security vulnerabilities including Zero Logon. Penetration tests are one way of mitigating the security risks that arise and make sure that we are not endangering users, their data, and the trust they inherently place in technology.

Penetration tests can be defined as the testing of a system to find security flaws in it. There are three main types of penetrations-black box, grey box, and white box which infosec institute defines. Each have various different goals and tasks.

Pen test types

Black box testing is taking the stance of an outside hacker who has prior or inside knowledge of the system. This type of test determines what is exploitable from outside the system and if the attacker is able to gain access to the system being tested.

Grey box testing is the next level of knowledge of a system. They would have access to the internal mechanisms of a system and maybe some privileges. This allows for testing of internal structures while still simulating an outsider threat who obtained internal access.

Finally, white box testing is last. This test has the most prior knowledge, they have access to all parts of a system, including elevated access, source code, and any other part of the system for analysis. This can test all parts of the system inside and out. It also could simulate a malicious employee.

In all of these tests, the goal is to simulate an attack, and to find and remove vulnerabilities that exist within the system.

Protecting critical systems

In our growing technological society, penetration tests are very important to the safety of our software and systems. Many do not realize, but safe software can literally be the difference between life and death. These cases are not isolated examples, either. Many critical systems like this exist, such as pacemakers and other medical systems, airplanes, and even cars. All of these are controlled by code and computers, and most importantly-can be hacked.

While not essential like the aforementioned systems, the security of other systems matters a lot too. This is important because personal privacy is important. If we do not secure these systems, our personal data can end up leaked, such as credit card numbers or addresses or passwords.

As mentioned earlier, technology is rapidly expanding. This massive expansion is the reason why penetration tests will remain essential in the current environment. More than ever, being one step ahead of hackers is crucial to keeping businesses safe. Depending on the scope of the test, many different results can be achieved. Penetration tests can find faults in software that has been developed, vulnerabilities in a business’ _network and test how resilient a company is to social engineering.

Compounding vulnerabilities

With regards to software or a network, businesses are constantly changing these. Whether it is a new update, or a migration to a newer system, all of these can introduce new vulnerabilities. Nowadays, software patches and fixes are very common and happen frequently.

While both attacks and defenses continue to evolve and even now can involve AI, human resistance to social engineering does not evolve much. It is astounding how far a person can get with the right outfit and a bit of confidence. Even phishing emails still continue to trick people. Relying on spam detection alone to catch phishing is not as valuable as trained employees as emails can still continue to get through and physical social engineering attacks can still take place.

What all of this means is that, as updates and rapid changes and growth in technology continue to happen, and hackers continue to social engineer, penetration tests will still be needed and remain essential.

About the essayist. Dakota Staples is a student the University of New Brunswick in Canada who is  pursuing at bachelor’s degree in computer science. He says he intends to earn a masters degree in applied cybersecurity, beyond that. Staples founded CyberCode.ca, a website about IT news and training.