What Is Penetration Testing and Why Does Your Company Need It?
Penetration testing, also known as pen testing, is a cybersecurity exercise carried out to find and exploit the vulnerabilities and problems within a business IT infrastructure before an attacker does - by using the same tactics, techniques and procedures attackers use.
Another way of viewing penetration testing is to think of it as trying to see if someone can break into your house by having a professional thief see if they can break into your house.
What is the primary purpose of penetration testing?
Penetration testing simulates real-world attack scenarios to discover and exploit security gaps that could potentially lead to stolen records, compromised credentials, cardholder data, protected health information, data held for ransom, or other harmful business outcomes. Performing penetration testing helps you determine how best to protect your critical business data from future cybersecurity attacks. It also provides insight into which applications an organization has that are most at risk, therefore, alerting you to what types of new security tools you should invest in or what protocols you should follow.
Frequently, penetration tests are required for compliance purposes. PCI (Payment Card Industry), HIPAA (Health Insurance Portability and Accountability Act), and SOX (Sarbanes-Oxley Act) all require penetration testing to be performed for those entities that fall under these regulatory acts, and sometimes insurance companies require penetration tests to be performed before policies will be underwritten.
Who performs penetration tests?
When considering a penetration test, it is best to have someone with little-to-no prior knowledge of how the system is secured to perform the test. This is because they will be more likely to find blind spots missed by the developers who built the system.
For this reason, outside security professionals are typically the ones hired to perform the test. These professionals generally are referred to as “ethical hackers”, pen testers, or “white hat” hackers because they are hired and given permission to hack into a system for the sole purpose of increasing security (“black hat” hackers are usually engaged in criminal activity and “grey hat” hackers straddle the fence between good and bad).
Most ethical hackers have extensive background experience with cybersecurity, along with certifications for penetration testing. Ideally, a team of ethical hackers will be used for testing so they can leverage their collective skills and experience - just like actual criminal hackers.
How are penetration tests typically carried out?
Penetration tests often start with a reconnaissance phase. During this first phase, an ethical hacker will gather pertinent data and information on the prospective target that they will use to plan their attack. Next, a series of scans are performed on the target to ascertain how their security system will counter multiple breach attempts. This will help discover possible vulnerabilities, open ports, and other areas of weakness within a network’s infrastructure and ultimately dictate how pen testers will continue.
Now, the main focus becomes gaining and maintaining access to the target system. There are a variety of different tools and manual processes that can be used during this next phase of penetration testing. The tools that are necessary for an attack include software designed to produce brute-force attacks or SQL injections, and manual processes can include custom software created specifically for the pen test. There is also hardware specifically designed for penetration testing, such as small unnoticeable boxes that plug into a computer on the network to provide the ethical hacker with remote access to that network. The hacker might also choose to use social engineering techniques to find areas of weakness. These techniques can include sending fraudulent emails to company employees or, in some cases, even impersonating delivery people to gain physical access to the building and ultimately, the computers.
Finally, after the ethical hacker wraps up the test, they will share their findings with the designated representative of the company. The results will be compiled into a report detailing the specific vulnerabilities that were exploited, sensitive data that was accessed, the exact method of how the data was compromised, and suggested remediation steps to “fix” the problem.
Why is it important to continuously conduct penetration testing to improve security?
Security is unfortunately not a “set it and forget it” situation, it requires constant attention in order to be effective. Frequent penetration testing provides for an updated view of an environment from an attacker’s point of view, and allows for security improvements that can help prevent malicious activity from negatively impacting a business.
Need help creating a security plan that will give your business a competitive advantage? Contact The Oxman Group for a free consultation!
