What is penetration testing?
Sure, you’ve got your firewall – but is your business really safe from cyber attacks?
A penetration test or "pen test" in security jargon is a simulated attack on your systems, commissioned by you in order to find out how good your infosecurity posture really is. Beyond that, there's no strict definition of what's involved so if you think this sort of exercise could benefit your business, it's important to start by defining your goals, and what you hope to do with the results. For example, are you worried about keeping hackers out or are you more concerned about vulnerabilities that could be exploited in order to access your data? How deep do you want to go, and how much time and money are you prepared to invest in mitigating any risk uncovered? There are a lot of questions to address.
I wasn't expecting the Spanish Inquisition!
Nobody expects the Spanish Inquisition, but to get the best from a penetration test you need to set strict and specific parameters. If you were hoping to ask the testers to simply "see what they can find", you may well discover that what comes back overlooks issues that are critical to your business.
Who are these testers? Is it safe to deal with hackers?
These aren't hackers they're highly trained security professionals. If you must use the word, I guess "ethical hacker" or "white hat hacker" might fit, but "security consultant" is better.
Still, you're right to raise questions of trust. When it comes to pen testing there are two recommended courses of action: you could use a service with a good pedigree of recommendations from previous customers, or you could select an agency that only uses testers who are accredited by an industry certification body called CREST. This ensures that they have passed rigorous certification exams and signed up to enforceable codes of conduct.
What actually happens in a penetration test?
As we've noted, it depends on exactly what you have commissioned. Typically, though, pen testers perform both external tests, which target the servers and hardware that any hacker would be able to see, and internal tests, which simulate what would happen if those hackers made it past the perimeter and got inside your network or if an employee wanted to cause trouble. Both approaches can be revealing and combined they can provide a good indication of your real-world security position.
Won't this disrupt my business?
Not at all. An external test may be almost invisible (although, if you have a good security infrastructure, it will hopefully flag up any suspicious connection attempts). An internal test needn't be much more invasive: the tester simply requires access to your network so they can mimic the actions of a hacker.
If that makes you nervous, remember that the testers are looking to expose vulnerabilities, not to exploit them. No data will be compromised, no systems will be interrupted and no damage will be done.
We perform vulnerability scanning; isn't that enough?
Vulnerability scanning has its value, but it will only give you limited information regarding configuration errors and vulnerabilities. Penetration testing is much more active and probing and a lot more revealing. Not only does it involve more rigorous and wide-ranging tests, you can also expect to come away with detailed information and advice that's specific to your business and context.
How long does a pen test take?
Again, it depends on what you have asked the testers to do: tests can take as little as a few hours or last as long as a few weeks. Just remember that the pen testers' work isn't over when they log out or discontinue their simulated attacks; further time is needed to produce a vulnerability report, after which your business will need time to digest its findings and respond as needed. Indeed, there's a good chance that you will want to involve the testing agency in remedying any issues discovered.
In the end, however, the decision is yours. Focus on what needs fixing urgently and be realistic about what's a long-term goal, or what might not be worth fixing at all given the risk analysis for your business. The value of pen testing is that it gives you the information you need to make these decisions.
Should you (and how do you) prepare for a test?
Absolutely! Since you're going to the effort of hiring penetration testers, we may as well ensure we derive the maximum benefits from the process.
In the interest of simulating an 'attack' that's as realistic as possible, internal IT teams would ideally not be notified of an incoming test before it has been completed and an external report has been compiled. This way, defences will be tested organically, with internal IT teams able to devise their own report accordingly, mirroring the process of an actual attack like a mock fire drill. The two reports can then be compared to highlight the differences between what was actioned in the attack, and what was picked up by the IT team.
Before the test team arrives, it can also pay to undergo a security pulse check, including basic patch management and applying hardware and software updates. Of course, patch management and general updating should be regularly undertaken regardless, but ensuring everything is completely up-to-date as a preliminary for penetration testing will mean that security measures are tested in their entirety.
Prepare also to work collaboratively with the test team. Sharing knowledge beforehand can save them time, and you money. Conversely, you should take the time to understand the methods and tools they will use to analyse your network. The more you understand, the more valuable the test.
Navigating the new normal: A fast guide to remote working
A smooth transition will support operations for years to comeDownload now
Putting a spotlight on cyber security
An examination of the current cyber security landscapeDownload now
The economics of infrastructure scalability
Find the most cost-effective and least risky way to scaleDownload now
IT operations overload hinders digital transformation
Clearing the path towards a modernised system of agreementDownload now