Penetration testing, also known as pen testing, is the testing of a computer system, network or web application to find vulnerabilities that a hacker could exploit.
There are a lot of options for pen testing – internal, external, credentialed, web application testing, network testing, phishing and social engineering. Your company may need just one or a combination of several to meet objectives for managing risk or complying with mandates.
Scale and scope
Start with the basics: what does your business hope to gain from a pen test and what do you plan to do with the information?
- Is it to comply with a mandate like PCI?
- Do you want to see what your network looks like to an attacker?
- Do you want to make sure an application or website doesn’t have any gaping holes?
- Do you want to test your entire network or just a segment? Several websites or just one?
In addition to finding weaknesses that could be exploited, a pen test can also be used to evaluate in-house security tools or staff. This can be a great opportunity to see if your threat detection systems, SIEM products, and other tools identify and alert staff – and to see if staff responds appropriately.
Who should conduct your pen test?
Purchasing an automated tool may not be cost effective, and studies have shown that manual testing is required to identify up to 67% of vulnerabilities. Qualified internal personnel with the right tools may be able to do the testing, but many companies don’t have those skills in house.
If you hire an outside company to conduct your pen test, make sure you compare prices and ask to see sample reports. Why? Not all penetration testing is the same in terms of scope and price – you often get what you pay for (or don’t pay for).
Depending on your goals, you should decide whether you want to hire an outside firm or if you have the tools and skills to do it in-house. If you do it in house and it’s for compliance, you must be able to show that the person performing the test had the appropriate skills.
Detail versus cost
Once you know what you’re looking for then you have to decide what you want in terms of service. A low cost test run through software with a template report may be sufficient for a first time test or less critical app. If your goal is hardening security, an expert behind the keyboard developing custom scripts, probing the way a hacker would, then providing analysis and recommendations may be necessary.
Regardless, all reports should provide some analysis as to the actual risk and severity of the findings. And you have to consider whether the added cost for a manual pen test is worth the extra information you’ll receive on your business’ information security.
Before you pen test, perform a vulnerability scan. Fix anything that’s found before pen testing. Make sure your software is up to date, check your wireless networks and devices like printers and copiers for weaknesses, and make sure your network defenses are configured appropriately. If you’re testing a custom developed application, there are free tools available to check for basic security flaws. Use them and correct anything relevant before the pen test begins. Don’t make it easy for a pen tester (or hacker) to find holes in your system.
Finally, remember that a pen test represents a single point in time. Cyber criminals find new weaknesses every day and if your network hygiene isn’t maintained, any results from a pen test will be outdated within a few short weeks.
The goals, budget, timeline, and analysis of your pen test should all be based on your cyber risk management and loss control strategy. Spend your money wisely.