Penetration testing: tools or humans?

Penetration testing has become an integral part of robust cybersecurity defense. Put simply, a penetration test, is a simulated cyberattack to your system.

Penetration testing has become an integral part of robust cybersecurity defence. Put simply, a penetration test, otherwise called a pen test, is a simulated cyberattack against your system.


Why is Penetration Testing Important?

The goal of a penetration test is to find vulnerabilities before nefarious hackers do. Penetration testing is essentially a confidence check - it helps you determine whether your security policies effectively stop a cyberattack in its tracks. Additionally, by identifying the weak points in your system's defence, you become aware of all the ways hackers can gain unauthorised access to your sensitive data.


Successful cyberattacks and data breaches can be extremely costly for an organisation, both financially and in terms of reputation. According to IBM, the average cost of a data breach in 2020 was an eye-watering $3.86 million[1]. If you can find your weak points before the bad actors do, you can take meaningful steps to protect your systems.


How do Penetration Tests Work?

Third-party ethical hackers test a computer system, network, web application, IP address ranges, or individual applications to find weak spots that a hacker could exploit.  

How ethical hackers go about pen testing will depend on several factors. For example, if the organisation is looking to test the efficacy of its network, the pen testers might start by examining network interfaces, user interfaces, and APIs. If the interfaces are improperly designed, the ethical hackers may find a loophole that will allow them entry. If they are testing an individual application, they might look for the level of security (password protocols and multifactor authentication), who has access, and how data is fed into the application.

The type of test could also depend on what the organisation is looking to achieve. If an organisation wants to confirm the strength of their internal security policies or vulnerability assessments, they might opt for Whitebox testing. This is where the complete information about the target system is shared with the testers. By contrast, in Blackbox testing, no information about the target system is shared with the testers. Blackbox testing is closer to an authentic cyberattack.  

Penetration testing is typically conducted using a range of automated software tools specific to the nature of the job. Some examples of these tools include Kali Linux, nmap, Wireshark, and Metasploit.


The Human Element of Penetration Testing

While penetration testing tools are essential, the people behind the tools are just as critical as the tools themselves. A key element of penetration testing is thinking as the hackers do, which is something ethical hackers excel at. Ethical hackers can put themselves into the mindset of bad actors to think of the techniques they could use to access your system.

It's also important to remember that while hacking nearly always involves tools, it's ultimately human; research shows that 95% of data breaches are caused by human error[2]. Furthermore, many cyberattacks start with or include elements of social engineering. Social engineering is defined as malicious activities accomplished through human interactions, such as when a hacker poses as a trusted individual to convince an employee to give away sensitive information like login credentials.

The best penetration test is one that utilises expert software and highly skilled and empathetic ethical hackers.

White Jar is the first Cybersecurity service made in Italy and powered by a community of  certified Ethical Hackers. Its major strength is the ability to run constant penetration testing by leveraging on the collaboration between corporates and Ethical Hackers. Also because of the influence of the pandemic, a gap has formed in the cybersecurity market. We are talking about the existing gap between the skills demanded by companies and the actual availability on the market. As if it wasn't enough, threats to cybersecurity are increasing in number and frequency. For these reasons, the human element represents a determinant factor.

 Traditional Penetration testing vs Ethical Hackers

As already said, the strength of a "human" service is the possibility to have long-term projects that allow constant testing. On the contrary, the more traditional version of penetration testing has shorter time constraints. 

Another issue we've already pointed out is the gap between demanded skills and the actual offer. In the case of a crowd sourced cybersecurity project that involves real ethical hackers, this won't be a problem anymore. There already is a solid base of experts from all around the globe ready to involve. Uncertainty about individual skills is not an issue because competences can be compensated from different hackers in the network. 

Traditional penetration testing can make it hard to track results, while WhiteJar has a dashboard that shows results in real time. It can also be integrated with bug tracking systems such as Jira, so the issues get right into the developers' hands.

Disclaimer: traditional and crowd sourced penetration testing are two different methods, but they are both valid and beneficial. In the next article of this column, we'll get more into the differences between the two methodologies. 



[1] Varonis

[2] CybintSolutions

Similar posts