What is Penetration Testing?
Penetration testing is effectively a simulated attack on your network or system, designed to uncover potential weaknesses. The idea is to spot problems that might not be revealed by simply running through a security checklist.
The beauty of penetration testing is that it’s realistic without risking any damage or disruption. It’s not like hiring a team of reformed burglars to try to break into your offices or factory without telling your security staff, which likely wouldn’t end well. With cybersecurity, a properly crafted simulated attack can be just as revealing as the real thing.
You may be wondering if penetration testing is the same thing as a vulnerability assessment, but they have some key differences. A vulnerability assessment really boils down to running through a detailed checklist. It’s good for making sure you have everything you want in place, but won’t reveal all weaknesses.
In contrast, penetration testing is not just about spotting those weaknesses, but seeing if and how they could be exploited. It’s particularly useful for finding ways in which different weaknesses can combine to cause a more serious vulnerability.
Although penetration testing often involves some automation and software, it can also incorporate the type of cunning and creativity that malicious hackers use. For example, a company carrying out penetration testing will use techniques such as reconnaissance, phishing and social engineering, scanning a network, putting malware in place, checking to see if they’ve been detected, and attempting to elevate their access privileges. This means penetration testing may take longer than some other forms of security testing.
When you hire somebody to carry out penetration testing, you’ll usually have a range of options. For example, the simulated attack could try to replicate an external attacker trying to breach your network, or a rogue employee taking advantage of their security access.
You may also have to decide whether some or all of your security staff are aware of the penetration testing and when it will happen. Keeping it secret gives a more realistic assessment of your current defenses. However, the staff being aware of the specific time of the attack means they can better track exactly how the attacker proceeds and the routes they take, which may give better insight for dealing with the revealed problems.
Another choice is exactly how much information to provide to the penetration testers. At one extreme you can give them details about the security systems you use and an outline of how they are configured. At the other, you can simply tell them the name of your organization.
Both of these approaches have benefits. The former allows a more thorough testing that combines breadth and depth. The latter is more realistic and can reveal which vulnerabilities are the biggest priority to fix as they pose the most likely risk.
If you’d like to know more about penetration testing and how it can help protect your organization, contact us today and we’ll be happy to help.