The legal framework yields the following insight: hacking is different from penetration testing. As we have already touched upon indirectly in the previous module, hackers attempt to circumvent or break security mechanisms in order to gain unauthorised data access. Penetration testing is thus more or less some sort of countermeasure on behalf of IT security in an arms race against attackers. Potential clients ask us or hire us to identify vulnerabilities in their IT systems in order to subsequently reinforce them.
Consequently, we must employ the same technical procedures as a malicious attacker. But it doesn’t end there. We also need to use an organised approach to achieve reproducible results. If we proceed any other way, some (obvious) vulnerabilities may go undetected by us. Unlike a hacker, we are not satisfied with one entry point into the system, we want to uncover all of them. And we are compelled to report the vulnerabilities identified to our client. This is usually accomplished with a final report, which not only lists the vulnerabilities but also prioritises them according to risk. Critical vulnerabilities should naturally be addressed before low-risk vulnerabilities. This means that hacking is “only” the technical part of penetration testing.
Moreover, a hacker pursuing his or her goal with an iron will may invest more time into the target system than what is planned for penetration testing. They may attack a company at will. And in addition to that, they may continuously attack a company if their sole objective is to hurt it. So they don’t care if an administrator has his or her beauty sleep interrupted at 2 a.m. due to a system crash. Even though that’s not entirely true. Most likely they will be peeved that their attack went noticed, but they will hardly care who was inconvenienced by their actions. This means hackers are unpredictable. But we can simulate this behaviour as a pentester in consultation with our client. In the following chapter, we will learn under which characteristics a penetration test can be classified.
To summarise the above: hacking differs from penetration testing in terms of motivation, time used and legality.
Last modified: Dec. 15, 2022
Take a look at the pentest training chapters and learn penetration testing:
Discover the world of penetration testing. Learn how to infiltrate networks and successfully penetrate systems and applications. Acquire the necessary hacking skills and use them when conducting professional penetration tests. Become a real penetration tester. Here you will find the free documents for the Pentest Training of binsec academy GmbH. The binsec academy GmbH offers the corresponding security training lab environments and certifications. However, the knowledge and wiki articles on hacking and penetration testing is universal.
binsec academy GmbH is the European provider of online security training with virtual laboratory environments. The core component of all security training is the focus on practice, practice and more practice. In the wiki here you will find the public and freely available course materials. You can put the theory into practice at binsec-academy.com.