You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
This lesson covers penetration testing as required by OCR J277 Section 1.4. Penetration testing is a proactive approach to network security that helps organisations identify vulnerabilities before attackers can exploit them.
Penetration testing (often called pen testing) is the practice of deliberately testing a computer system, network, or web application to find security vulnerabilities that an attacker could exploit.
A penetration test simulates a real-world attack in a controlled and authorised manner. The testers (known as penetration testers or ethical hackers) use the same tools and techniques as malicious hackers, but they have permission from the system owner and report their findings rather than exploiting them.
OCR Exam Tip: The key word is "authorised." Penetration testing is legal because the tester has explicit permission from the organisation. Without permission, the same actions would be illegal under the Computer Misuse Act 1990.
| Reason | Explanation |
|---|---|
| Identify vulnerabilities | Discover weaknesses before attackers do |
| Test security controls | Verify that firewalls, encryption, and authentication work as expected |
| Compliance | Meet legal and regulatory requirements (e.g. GDPR, PCI DSS) |
| Assess impact | Understand the potential damage if a real attack occurred |
| Improve security | Use findings to fix weaknesses and improve defences |
| Staff awareness | Test whether employees follow security policies (e.g. social engineering tests) |
| Type | Knowledge Level | Realism | Thoroughness |
|---|---|---|---|
| Black box | None | High | Lower |
| White box | Full | Lower | High |
| Grey box | Partial | Medium | Medium |
A typical penetration test follows these stages:
OCR Exam Tip: You may be asked to explain the purpose of penetration testing or describe its stages. Focus on: finding vulnerabilities, testing defences, and providing recommendations — all with the organisation's permission.
The diagram below shows the five stages flowing into a remediation cycle.
flowchart LR
A["1. Planning &<br/>Reconnaissance"] --> B[2. Scanning]
B --> C[3. Gaining Access]
C --> D["4. Maintaining<br/>Access"]
D --> E[5. Reporting]
E --> F{"Vulnerabilities<br/>fixed?"}
F -- Retest --> B
F -- All clear --> G[Live Deployment]
style E fill:#fff4d4
style G fill:#d4f4dd
| Feature | Penetration Testing | Malicious Hacking |
|---|---|---|
| Authorisation | Authorised by the organisation | Unauthorised |
| Legality | Legal | Illegal (Computer Misuse Act 1990) |
| Purpose | Improve security | Steal data, cause damage, financial gain |
| Reporting | Findings reported to the organisation | Vulnerabilities exploited secretly |
| Outcome | Stronger security | Data breaches, financial loss |
Penetration tests are usually carried out by:
Penetration testing is a vital part of network security. It involves authorised attempts to breach a system to identify and fix vulnerabilities. The three main types are black box (no knowledge), white box (full knowledge), and grey box (partial knowledge). The process includes planning, scanning, exploitation, and reporting. For the OCR J277 exam, remember that the key distinction from malicious hacking is authorisation — penetration testers have permission.
Consider Harbour Electronics, a mid-size online retailer planning to launch a new customer portal. Before going live, the board commissions a grey-box penetration test from an external consultancy. The consultancy will be given a test-environment login at customer level but no knowledge of the internal network design. The scope is formally agreed in writing: the consultants may probe the new portal, the associated API and the test database, but must not touch production systems or attempt social engineering of staff.
Planning and reconnaissance. The consultants spend two days gathering information that any real attacker could also obtain: the retailer's public IP ranges, the technology stack visible from HTTP response headers, and a list of subdomains from certificate-transparency logs. They also review the application's public JavaScript to understand how client-side forms call the API. This stage is entirely passive and observational.
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.