A penetration test, commonly known as a pen test, is a simulated cyber attack against your computer system to check for exploitable vulnerabilities. In the context of web security, penetration testing is often used to augment a web application firewall (WAF). Pen tests can be performed using automated software or manually to probe for security weaknesses. This includes potentially unsanctioned access to system features and data, as well as evaluating the system’s ability to remain secure against unauthorised access, code injection, and more.
Penetration tests are broadly categorized into two types: non-authenticated and authenticated. Understanding the difference between these two approaches is crucial for businesses looking to protect their digital assets effectively. Here’s a detailed overview of both types:
Non-Authenticated Penetration Test
Non-authenticated penetration testing, also known as black-box testing, simulates the actions of an external hacker who has no prior knowledge of the system. The tester attempts to exploit potential vulnerabilities from an outsider’s perspective, using publicly available information. This type of test is crucial for understanding how an attacker could gain unauthorized access to the system without having any internal knowledge or credentials.
Key features include:
- Limited Information: Testers start with minimal information, mirroring real-world attackers discovering information through their means.
- External Perspective: Focuses on the vulnerabilities that are visible from outside the network or system.
- Objective Assessment: Offers an unbiased view of the system’s external security posture.
- Less Expensive: With less to test, it can reduce the time taken and hence the costs
Authenticated Penetration Test
Authenticated penetration testing, or white-box testing, involves providing the testers with some level of access as legitimate users of the system. This could range from basic user-level access to more privileged administrative access. The goal is to identify what a malicious insider or an external attacker who has gained such access could do. This type of testing is more comprehensive, as it explores both the external and internal vulnerabilities of the system.
Key features include:
- Comprehensive Coverage: Testers have access to the system, allowing for a more thorough examination of its internal security.
- Identification of Privilege Escalation Vulnerabilities: Determines how an attacker could exploit lower-level access to gain more significant control over the system.
- Insider Threat Simulation: Mimics the potential damage a disgruntled employee or an attacker with stolen credentials could cause.
Comparison and Contrast
The main difference between non-authenticated and authenticated penetration tests lies in the perspective and level of access granted to the testers. Non-authenticated tests are invaluable for identifying the vulnerabilities an external attacker would encounter first, making it essential for understanding the initial level of defence. Authenticated tests, conversely, can test the same vulnerabilities but also provide a deeper dive into what could happen if those initial defences were breached or if the threat originates from within.
Choosing between non-authenticated and authenticated penetration testing depends on several factors, including the organisation’s security posture, specific industry regulations, and the critical nature of the systems involved. Most organisations go for the authenticated pen test as it usually covers both the external and internal threats and it reduces the time spent for the Penetration Tester on discovery increasing the chance of vulnerabilities being found. Furthermore it is typical that clients will accept an authenticated penetration test but will not accept a non-authenticated penetration test. The main reason a few companies go for a non-authenticated Pen Test instead of an Authenticated Pen Test is cost.
