Penetration Testing: What? When? Why?
Penetration testing, sometimes called “white hat hacking” or “ethical hacking,” is the process of allowing security professionals to attack your network and/or infrastructure just as a malicious hacker would do.
With security incidents in the news on a daily basis, it’s clear that nobody is free from the risk of being targeted by cybercrime: not large corporations, small businesses, government agencies, or even presidential candidates.
A proactive company can save money and brand reputation by testing its security before someone else does. Moreover, there are obvious advantages to having paid professionals penetrate your network as opposed to external attackers:
- Paid professionals will not leave ransomware on your sensitive file server
- Paid professionals will assist you in remediating identified vulnerabilities
- Paid professionals will not publish any captured data on the Internet
- Paid professionals can stop, or pause, the engagement if it is impacting critical assets
Many security firms offer different levels of penetration tests. The starting level is usually called a vulnerability scan or vulnerability assessment. At this level, professionals will run automated tools and scripts that perform various enumeration activities to identify known vulnerabilities in services and hosts. While this type of test is usually quick and relatively cheap, it is only capable of identifying vulnerabilities that follow known patterns.
The next level is a targeted penetration test, such as a network or web application penetration test. While more robust and comprehensive than a scan, this level of testing is limited by the scope of the engagement.
Finally, at the highest level, is what is often referred to as a “Red Team Penetration Test.” With Red Team testing, all elements of a company are within the scope of the engagement, and testing can take up to several months to complete.
With all of these different types of testing, it is a security travesty that more companies do not incorporate them into their security program. Because corporate environments are regularly changing and new vulnerabilities and exploits are identified every day, penetration testing should ideally be performed on an annual, or at least semi-annual, basis.
If the cost of a Red Team exercise is prohibitive, targeted penetration testing should be performed against security sensitive assets, including: any externally facing service/host; business critical assets, such as databases or mail servers; and even employees.
In addition, companies should perform regular vulnerability scans and incorporate the results into a vulnerability management program to ensure that critical vulnerabilities are remediated as quickly as possible.
Identifying weak points in a company’s security is the first step to preventing security incidents. Between a vulnerability management program, which includes regular scanning and remediation efforts, and regular penetration testing, a company can identify and solidify those weak points and stay one step ahead of hackers.