A penetration test or "pen test" in security jargon is a simulated attack on your systems, commissioned by you in order to find out how good your infosecurity posture really is. Beyond that, there's no strict definition of what's involved so if you think this sort of exercise could benefit your business, it's important to start by defining your goals, and what actions you hope to take once you have the results.
For example, are you worried about keeping hackers out or are you more concerned about vulnerabilities that could be exploited in order to access your data? How deep do you want to go, and how much time and money are you prepared to invest in mitigating any risk uncovered? There are a lot of questions to address.
I wasn't expecting the Spanish Inquisition!
Nobody expects the Spanish Inquisition, but to get the best from a penetration test you need to set strict and specific parameters. If you were hoping to ask the testers to simply "see what they can find", you may well discover that what comes back overlooks issues that are critical to your business. It's important to put structure and goals in place for testing and avoid a haphazard approach. By defining what you want to get out of the test early on, you'll be able to judge its success in the results.
Who are these testers? Is it safe to deal with hackers?
These aren't hackers they're highly trained security professionals. If you must use the word, "ethical hacker" or "white hat hacker" might fit, but "security consultant" is better. These professionals mimic tactics used by cyber criminals to test the strength of a business’s security infrastructure. This helps to identify weaknesses in your security that can be addressed before you fall victim to a real cyber attack.
The top 12 password-cracking techniques used by hackers What can an ethical hacker do for my business? What is ethical hacking? White hat hackers explained
When dealing with your organisation's security, it's always worth raising the question of trust. With pen testing there are two recommended courses of action: you could use a service with a good pedigree of recommendations from previous customers, or you could select an agency that only uses testers who are accredited by an industry certification body called CREST. This ensures that they have passed rigorous certification exams and signed up to enforceable codes of conduct.
What actually happens in a penetration test?
As we've noted, it depends on exactly what you have commissioned. Typically, though, pen testers perform both external tests, which target the servers and hardware that any hacker would be able to see, and internal tests, which simulate what would happen if those hackers made it past the perimeter and got inside your network or if an employee wanted to cause trouble. Both approaches can be revealing and combined they can provide a good indication of your real-world security position.
Won't this disrupt my business?
Not at all. An external test may be almost invisible (although, if you have a good security infrastructure, it will hopefully flag up any suspicious connection attempts). An internal test needn't be much more invasive: the tester simply requires access to your network so they can mimic the actions of a hacker.
If that makes you nervous, remember that the testers are looking to expose vulnerabilities, not to exploit them. No data will be compromised, no systems will be interrupted and no damage will be done. Still, it's worth making sure any senior stakeholders have been notified that a pen test is taking place so that they're aware of what's happening.
We perform vulnerability scanning; isn't that enough?
Vulnerability scanning is the process of inspecting potential exploitation points on a network and identifying security weaknesses. This has its value, but it will only give you limited information regarding configuration errors and vulnerabilities. Penetration testing is much more active and probing and a lot more revealing about the potential security problems in your network. Not only does it involve more rigorous and wide-ranging tests, but you can also expect to come away with detailed information and advice that's specific to your business and context.
How long does a pen test take?
Again, it depends on what you have asked the testers to do: tests can take as little as a few hours or last as long as a few weeks. Just remember that the pen testers' work isn't over when they log out or discontinue their simulated attacks; further time is needed to produce a vulnerability report, after which your business will need time to digest its findings and respond as needed. Indeed, there's a good chance that you will want to involve the testing agency in remedying any issues discovered, so it's worth thinking about keeping them involved for the long-term.
In the end, however, the decision is yours. Focus on what needs fixing urgently and be realistic about what's a long-term goal, or what might not be worth fixing at all given the risk analysis for your business. The value of pen testing is that it gives you the information you need to make these decisions.
Should you (and how do you) prepare for a test?
Absolutely! Since you're going to the effort of hiring penetration testers, we may as well ensure we derive the maximum benefits from the process.
In the interest of simulating an 'attack' that's as realistic as possible, internal IT teams would ideally not be notified of an incoming test before it has been completed and an external report has been compiled. This way, defences will be tested organically, with internal IT teams able to devise their own report accordingly, mirroring the process of an actual attack like a mock fire drill. The two reports can then be compared to highlight the differences between what was actioned in the attack, and what was picked up by the IT team.
Before the test team arrives, it can also pay to undergo a security pulse check, including basic patch management and applying hardware and software updates. Of course, patch management and general updating should be regularly undertaken regardless, but ensuring everything is completely up-to-date as a preliminary for penetration testing will mean that security measures are tested in their entirety.
Prepare also to work collaboratively with the test team. Sharing knowledge beforehand can save them time, and you money. Conversely, you should take the time to understand the methods and tools they will use to analyse your network. The more you understand, the more valuable the test.
