A penetration test is a type of security assessment performed on a computer system in which the person performing the assessment attempts to hack into the system. The goal of the test is to determine whether or not someone with malicious intent can enter the system, and what he or she can access once the system has been penetrated. Penetration tests are offered by a number of firms which specialize in the security of computer systems, and they are often strongly recommended for systems and companies of all sizes, as damage to a computer system caused by a hostile attack can be costly and embarrassing.
There are a number of different approaches to the penetration test. In a black box approach, no information about the system is provided to the person performing the test. He or she starts from the ground up to seek out potential exploits and break into the system. In a white box test, all of the information is provided, allowing the tester to simulate an inside job or leak of information. Some companies pick a hybrid approach, in which some information is provided and other information must be sought out.
In the course of a penetration test, the security expert can simulate the deletion or alteration of data, theft of files, insertion of malicious code, and a variety of other activities. The penetration test can slow down the system, which makes the timing of the test important; companies want to avoid interfering with their own operations when they are performing security assessments.
The people who perform penetration tests have an ample library of computer skills, and some have a history as hackers which has familiarized them with the numerous ways in which computer systems can be exploited. Hiring skilled hackers as security consultants can actually be a very savvy business move for a firm which specializes in computer and network security, as hackers often have the most up to date knowledge and information, and they are used to approaching computer systems from the role of someone with malice, rather than the role of a concerned security expert.
For simple testing, it is possible to use an automated system to perform a penetration test. This cuts down on expense, and allows companies to easily hold random testing when they think there might be a need. Manual testing is more in-depth and time consuming, but it can yield more complete results. A creative and determined human can detect potential exploits which an automated program may miss.
Once a penetration test is concluded, the findings are written up and presented to the client. Along with the findings, a list of recommendations is generated, with the security firm indicating areas in which security could be improved and making suggestions for improvement.