Hacking vs. Penetration Testing
The legal framework yields the following insight: hacking is different from penetration testing. As we have already touched upon indirectly in the previous module, hackers attempt to circumvent or break security mechanisms in order to gain unauthorised data access. Penetration testing is thus more or less some sort of countermeasure on behalf of IT security in an arms race against attackers. Potential clients ask us or hire us to identify vulnerabilities in their IT systems in order to subsequently reinforce them.
Consequently, we must employ the same technical procedures as a malicious attacker. But it doesn’t end there. We also need to use an organised approach to achieve reproducible results. If we proceed any other way, some (obvious) vulnerabilities may go undetected by us. Unlike a hacker, we are not satisfied with one entry point into the system, we want to uncover all of them. And we are compelled to report the vulnerabilities identified to our client. This is usually accomplished with a final report, which not only lists the vulnerabilities but also prioritises them according to risk. Critical vulnerabilities should naturally be addressed before low-risk vulnerabilities. This means that hacking is “only” the technical part of penetration testing.
Moreover, a hacker pursuing his or her goal with an iron will may invest more time into the target system than what is planned for penetration testing. They may attack a company at will. And in addition to that, they may continuously attack a company if their sole objective is to hurt it. So they don’t care if an administrator has his or her beauty sleep interrupted at 2 a.m. due to a system crash. Even though that’s not entirely true. Most likely they will be peeved that their attack went noticed, but they will hardly care who was inconvenienced by their actions. This means hackers are unpredictable. But we can simulate this behaviour as a pentester in consultation with our client. In the following chapter, we will learn under which characteristics a penetration test can be classified.
To summarise the above: hacking differs from penetration testing in terms of motivation, time used and legality.
Pentest Training
Take a look at the pentest training chapters and learn penetration testing:
- Preface
- Introduction
- Legal Framework
- Hacking vs. Penetration Testing
- Classification
- Meaningfulness of Penetration Tests
- Penetration Testing Standards
- The Hacking Guide
- Hacking I: Scanning networks
- Hacking II: Password attacks
- Hacking III: Web application attacks
- Hacking IV: Privilege Escalation
- Hacking V: Tunnelling Techniques
- Hacking VI: Vulnerability scanner and penetration testing frameworks
- Demonstration of a Penetration Test
- Risk Assessment of Identified Vulnerabilities
- Structure of Documentation and Reporting
- Insider stories: Tales from Dubius Payment Ltd.
binsec academy GmbH - Online IT Security Training with Practical Focus
binsec academy GmbH is provider of online IT security training, offering practical, lab-based courses for professionals. The academy provides hands-on training in areas such as penetration testing and secure software development. Participants gain practical experience through realistic lab environments, including simulations of company networks and applications. Courses are available in multiple programming languages and align with standards like OWASP Top 10 and PCI DSS. Upon successful completion, participants receive certifications such as the Binsec Academy Certified Pentest Professional (BACPP) and Binsec Academy Certified Secure Coding Professional (BACSCP), demonstrating their ability to identify and remediate security vulnerabilities.
Goto binsec acadmy GmbH
binsec GmbH – Experts in Penetration Testing
binsec GmbH is a German IT security company focused on professional penetration testing. With over 10 years of experience, the team conducts in-depth penetration tests on networks, web applications, APIs, and mobile apps. Certified experts systematically identify and document security vulnerabilities to support organizations in improving their security and meeting compliance requirements.
Goto binsec GmbH