Creating a Penetration Testing Plan: What You Need to Know Before Starting

Cybersecurity is an important aspect of various organizations and industries, from government to health care, finance, and more, as cybercriminals attempt to access data, systems, and devices. The threat of these attacks is increasingly common, causing massive financial strain on organizations that fall victim to cybercrime. This has ultimately led to a growing demand for cybersecurity professionals with the skills to safeguard against digital threats. One approach to mitigating the threat of cyberattacks is through penetration testing, making it possible to spot vulnerabilities before attackers do. 

What is penetration testing?

Penetration testing, or pen testing, is a cybersecurity measure during which an organization has someone simulate a cyberattack on its computer system to identify vulnerable areas. Once the weaknesses are known, the organization can then provide mitigation strategies to keep its systems safe.

Performing penetration tests is important because they provide more context than a vulnerability scan. Penetration tests allow you to learn a system's weaknesses, similar to how a vulnerability scan does, while also showing you how an attacker may exploit these weaknesses so you can establish a better defense plan.

Five stages of penetration testing

Penetration testing is a five-step process that covers reconnaissance, scanning, vulnerability assessment, exploiting, and reporting. During each step, you perform specific tasks that help you identify potential risks so you can formulate a plan to address them.

Reconnaissance

During reconnaissance, you establish the goals of the pen test. This helps you determine which information to collect during the test and which testing methods to implement.

Scanning

The scanning phase is where you begin searching for potential entry points and areas to focus on during the penetration test. This step involves inspecting the system's code and checking network traffic, similar to a vulnerability scan.

Vulnerability assessment 

With your findings from the reconnaissance and scanning phase, you can now assess the system's vulnerabilities and establish areas you can exploit. This allows you to get a feel for the level of risk the different vulnerabilities present.

Exploiting

With your knowledge of the system's vulnerabilities, you can start exploiting them, but with caution. You should take extra precautions during this stage to prevent damaging or crashing the system. Exploiting the vulnerabilities allows you to learn what specific assets are at risk, how easy it is to spot a breach if one occurs in that location, and the potential consequences.

Reporting

The report you create following the penetration test will detail your findings and share how the organization can implement your recommendations to improve its systems' security. 

Importance of creating a penetration testing plan

Creating a pen test plan is important to completing a successful penetration test. By outlining the procedures and overall scope of the test, you can ensure that no area is left unaddressed and get a full picture of the system you are testing and its vulnerabilities. A penetration testing plan also helps ensure you follow all the necessary security testing compliance guidelines since some organizations have specific compliance requirements within their industry, such as those set by the Health Insurance Portability and Accountability Act (HIPAA).

Best practices for developing a pen test plan

The process for conducting a pen test is straightforward, but you can implement best practices like choosing the appropriate type of test to improve its effectiveness. Keep the following in mind:

Define the scope.

Going into the penetration test, it’s important to define the scope of the test and establish objectives that help provide direction during the test so you know what key areas to prioritize based on the level of risk different areas present and budget considerations.

Run a vulnerability scan.

A vulnerability scan before the penetration test will help bring attention to potential vulnerabilities so you can go into the test with an idea of where to focus your efforts. During the pen test, you can further establish the level of vulnerability within that area.

Choose the pen test approach to use.

As the one performing the penetration test, you will work with the organization to establish which testing option to proceed with. Three main types of pen tests exist: black-box, gray-box, and white-box tests. In a black-box pen test, you go into the test completely blind, with no knowledge of the system, making it similar to how a cyberattack would occur from an outside threat. Gray-box tests come with some, but not all, information about the system to simulate an attack coming from someone who already has some level of access or understanding of the system. White-box tests allow you all information about the system, helping to ensure a highly in-depth penetration test that covers all potential vulnerabilities.

Selecting test types

While the pen testing approach defines the level of information you have going into the test, you also have several options for the specific type of penetration test you will use:

• Network penetration test: Network penetration tests occur internally or externally and give a look at the computer network. Internal network tests mimic an attack from an attacker within the network, such as someone inside the organization. An external network test simulates an attack from someone outside the organization attempting to gain access through physical assets, such as computers, websites, or servers.

• Application penetration test: You can perform penetration tests on various applications, such as web, mobile, and cloud-based apps, through application pen tests. These tests are highly complex, covering the different components of applications, including the source code and databases, to identify all potential vulnerabilities.

• Hardware penetration test: During a hardware penetration test, you will direct your efforts toward the physical devices connected to a network, including software flaws within the hardware. 

• Client-side penetration test: A client-side penetration test allows you to identify vulnerabilities within the applications, programs, and web browsers the client uses. This helps to determine the types of cyberattacks that pose a threat, such as malware infections or HTML injections.

• Personnel penetration test: Personnel penetration tests assess whether or not employees are correctly following proper security measures by attempting to persuade employees to give up sensitive information that leaves them susceptible to an attack.

Who uses penetration testing plans?

The penetration testing process is generally carried out by a contractor from outside the organization. This is because an outsider is more likely to identify vulnerable areas that would otherwise be overlooked by those who are already familiar with the system. While penetration testers often perform penetration tests, related job titles include security analyst and security engineer. Here’s a closer look at each of these positions.

Penetration tester

Average annual US salary: $111,732 [1]

Education requirements: Most penetration tester job openings require you to have at least earned a bachelor’s degree in an area such as cybersecurity, information technology, or computer science.

As a penetration tester, you will work to identify security vulnerabilities within an organization's systems, understand how an attacker may exploit them, and help establish strategies that will help keep systems safe. You may work within an information technology department or for a cybersecurity firm where your work is offered as a service to outside clients.

Security analyst

Average annual US salary: $113,200 [2]

Education requirements: To become a security analyst, first earn a bachelor’s degree in computer science, cybersecurity, information systems, or a related field.

As a security analyst, you will work to safeguard an organization's computer networks and systems. You will also be responsible for responding to security breaches, as well as preventing them and identifying security flaws.

Security engineer

Average annual US salary: $136,604 [3]

Education requirements: To become a security engineer, earn a bachelor’s degree in a relevant area, such as computer science, information systems, software engineering, or cybersecurity.

As a security engineer, you will help protect data from cybersecurity threats. You are responsible for maintaining and developing the systems that employees rely on for access to data. You may also help establish safety guidelines and perform tests to assess your system’s vulnerability to attacks.

Pros and cons of penetration testing

Penetration testing offers several benefits for an organization. In some cases, regulations require penetration testing, making it crucial to follow the proper guidelines. Pen tests also help mitigate the threat of costly cyberattacks and avoid the expensive costs of experiencing an attack. 

Some downsides exist for you to keep in mind. For example, an error during a penetration test can be costly, potentially causing a system to crash. In addition, if you don’t properly navigate a penetration test, you could ultimately leave the system more exposed than it was prior.

Getting started with Coursera

As cyberattacks grow, many organizations are directing more time and attention to protecting their systems. By learning about measures like pen testing, you can help counter cybersecurity threats and thwart bad actors' efforts. 

On Coursera, you can find highly rated penetration testing and cybersecurity courses. Ethical Hacking Essentials from EC-Council covers fundamental information security topics, including ethical hacking, penetration testing, and different types of cyberattacks. Foundations of Cybersecurity from Google serves as an introduction to help you prepare for a career in cybersecurity, helping you learn about the impact of attacks on a business and gain familiarity with cybersecurity tools.