Penetration Tests (or Pentests, to make it short) are mainly performed after a risk analysis has determined that there is a certain level of probability and potential damage connected to the possibility of an attack against the IT resources an organization.
The attacks are targeting one or more of the following:
- intentionally visible IT services of the organization (for instance the web site)
- normally invisible interfaces to the IT infrastructure (like remote admin access portals)
internal (user) access interfaces and IT resources (e.g. the WLAN)
So Pentests try to identify all of them either like a normal attacker would (or they start from a certain background information level) and to find out practically what the vulnerabilities and weaknesses or those exposed parts of the IT infrastructure might be. The aim of the Pentest is not to actually bring down IT resources or steal data, usually it is a rather noiseless test that stops as soon as there is a solid proof that a real attack would be possible. Yet a good Pentest does not stop there, in the next steps the issue is analyzed and put in the risk analysis context - finally, suggestions are made for remediations or mitigations.