Penetration Testing as a Tool
If you are tasked with protecting your company's network and digital assets, you'll likely have a number of systems in place to protect your network. But have you tested them? This is where a pen test can help, allowing an ethical hacker to test your networks defences like a real hacker would but with the risk factor greatly reduced. If you're in two minds about if a pen test is right for your organisation, you should read our article on if pen testing is worth it which defines a pen test and outlines the key benefits.
More often than not devices are left default or assumed working. This is where penetration testing can help test your security countermeasures are working correctly. A penetration test or pen test is conducted by a 3rd party company that specialise in testing networks and applications for security issues and vulnerabilities. In addition, penetration testing could be used proactively in order to determine attack surfaces and how highly susceptible the company would be to attack. It could also be done reactively to determine how widespread the vulnerability really is or if remediation has been implemented in a correct manner.
What is penetration testing?
In simple terms, penetration testing could be referred to as a moment-in-time test that identifies the potential vulnerabilities that exist within the target system or network at the time the penetration test is performed.
What is the testing process?
A penetration test is carried out by an skiled and experienced ethical hacker who has a number of industry level tools at his disposal. An etheical hacker will use both manual and automated testing tools and methods. A tester will use a recognised testing methodology that helps to ensure that attack vectors would not be overlooked, along with the knowledge and expertise of the tester. It's recommended that organization would really needs to maximize the benefits from the cost of pen testing, they carefully plan its use and clearly set the goals for testing.
What does penetration testing do for my business?
Penetration testing can be used as part of the information security management system (ISMS), below are the key benefits of performing a pen test:
- Risk management This would determine the company’s vulnerabilities and the attack surface area.
- Vulnerability management Detecting vulnerabilities that would be present in the organization, thus assessing the effectiveness of remediation.
- Assurance audit Testing the implemented countermeasures.
- Regulatory compliance This would be a part of auditing in order to determine whether controls have been implemented or not.
How to determine the penetration testing strategy?
The testing strategy would need to be developed in order to meet the company’s requirements, which would again be driven by the risk appetite and mission objectives. In addition, it would also need to be cost effective so that the testing would be able to confirm whether the vulnerability management program is indeed effective or not.
Frequency of penetration testing
How often should you perform Penetration Test?
The frequency of testing would depend on standard compliance and regulatory activities. It could also be driven by an experienced consultant and 3rd party testing company.
However, recommendation from experts would suggest that companies go for a monthly internal compliance scan. This could be combined with quarterly internal and external vulnerability scans which would be conducted by a qualified tester.
Therefore, with these being new remediation activities and controls on the block, management should always be aware of the existence of residual risk. This is because being vigilant and monitoring for signs of intrusion should be part of the security profile that organizations should be deploying.