Penetration testing is important process for determining the strength of an organization’s IT security. However, the value of the process itself is determined by the thoroughness of the testing. In other words, not all penetration testing is created equally.
But let’s back up a bit and answer a few questions:
First, what is a penetration test?
Using automated tools and processes, as well as human testers, a penetration test will challenge a network’s security through a series of “attacks” designed to reveal and exploit areas of weakness. Through penetration testing, organizations should find out what will happen in the event of a real-world attack on its IT assets and security measures. It should demonstrate the effectiveness of existing security measures against an active, skilled, human attacker, as even the most complex and up-to-date security systems could potentially be vulnerable to a human attacker able to deploy multiple types of attacks at the same time. Human involvement is important, as a penetration test that explores only one type of attack – for example, through a web browser – will provide similarly limited information about the effectiveness of a security system to perform under only those specific conditions.
How is a penetration test carried out?
Ideally, a penetration test will involve a multitude of approaches. It will usually involve one or more skilled attackers. Some may refer to these attackers as hackers, but that’s not necessarily accurate, as a security breach could be carried out in person by someone slipping by a receptionist and physically removing laptops, flash drives, etc., from an office. Penetration tests can also be carried out on IP address ranges, individual applications, or even using as little information as a company name or street address. Regardless, a penetration test should always have findings. There is no perfect security system, and all organizations can take additional steps to improve security.
Why are penetration tests important?
They can give security personnel real experience dealing with intrusions. Penetration tests should be done without informing staff. By doing this, an organization can test whether its policies are truly effective. Think of it as a fire drill – the goal is to determine how well an organization’s security personnel respond to an emergency situation without advance warning.
Penetration tests can also tell your organization which aspects of its security measures are in need of improvement or revision. For example, a penetration test may reveal that while your organization was able to detect an attack, it may have been less-than-effective in removing the attacker from the system before damage occurred.
Penetration tests will also provide feedback on the most vulnerable areas of your organization’s security infrastructure. Penetration testers think outside the box, and will try to get into your system by any means possible – just like a real-world attacker. This can uncover vulnerabilities your security team never considered, and test reports can help your organization prioritize future investments.
Finally, penetration testing is an excellent training tool for developers. If developers can see how an outside attacker broke into an application they designed, they will be more motivated to improve their knowledge of security to avoid similar errors in the future.
The final word
Penetration testing is worth doing, but only if it is done correctly. Is penetration testing mandated by your industry? If so, instead of finding the lowest cost automated penetration testing service just for the sake of getting it over with, why not invest in a comprehensive, personalized penetration test? If you do take the cheap route, and are compromised later on, will you be able to rationally defend your selection of penetration test method? If you care about the security of your organization’s people and data, it is the attack from the real world that counts most – not an automated series of exercises with a narrow scope. It’s easy to forget the reasons for having security requirements when we are busy trying to validate compliance.
There is no one-size-fits-all solution for penetration testing. At Keystone, we will help you determine the type and scope of penetration testing appropriate for your organization. For more information, please contact us.