Cybercrime is now the single largest threat faced by modern businesses, costing the world economy more than $2 trillion this year alone. With instances of cybercrime on the rise and criminals using increasingly more advanced techniques to extract digital data it’s important to know and understand your companies digital security. Data breaches and hack attempts can cripple a business, both large or small and so it’s vital that businesses stay ahead of the game to keep both their customers and their own data safe – which is where penetration testing comes in.
What is penetration testing?
Penetration testing, also sometimes referred to as pen testing, a pen test, or ethical hacking is an authorized simulated cyber attack carried out by a trusted third party in order to produce a risk assessment which will highlight the companies digital weaknesses and strengths. A penetration test can be conducted on a particular part of the companies digital infrastructure, such as a new App to be released or a new version of a software, or it can be conducted on the network as a whole, searching for flaws and weaknesses from authentication issues, to source code problems. Armed with the resulting risk assessment companies can then take the action needed to keep their business safe and to protect them from any identified threats.
What is the difference between internal and external penetration tests?
Internal penetration tests are designed to seek out any potential threats from individuals who have legitimate access to your network, such as your employees. During an internal penetration test, an ethical hacker will simulate an inside attack on your business to see how far a person can get while remaining undetected. Internal penetration tests can help to identify who has access to and how people can gain access to confidential information such as customer information or payment details and can help a company to put internal security procedures in place to protect them in the event of an internal attack. Internal penetration testing is also helpful in highlighting areas in which your business may need to keep better audit records which can help to identify which individual was responsible for any given breach.
External penetration tests, on the other hand, simulate an attack from outside of your business structure, i.e from someone who does not have internal access to your systems. In general, there are three main types of external penetration tests, each designed to highlight any weaknesses to your company that could be exploited from the outside.
- The black box penetration test
The black box penetration test is designed to simulate an attack on your business by someone with no prior knowledge of your systems and is the most accurate way to simulate a real-life malicious attack.
- The white box penetration test
The white box penetration test is designed to simulate an attack on your business by someone with a far more detailed understanding of your systems, such as a knowledge of your system architecture or information on certain passwords. This kind of attack can be very dangerous as it can gain people access into your system and disguise them as one of your own.
- The grey box penetration test
Grey box penetration tests incorporate the principles of both black and white box testing and simulate a targeted attack by an individual which may have a little information on your company but is working largely in the dark.
Why penetration test in the first place?
The only way to know for certain that your car is locked is to try the door yourself, similarly, penetration testing is the only way that you can be sure that your security defences are working properly to protect your data. Here are 8 reasons why a penetration test can be helpful for your business.
- To help your company to prioritize risk
There are many different types of security risks that companies need to contend with these days and a simple penetration test can help to identify areas of weakness which can then be prioritized in your companies security strategy.
- To view your systems with fresh eyes
Even well managed and robust systems have backdoors and flaws which can easily be missed with internal analysis. A fresh set of eyes can often find any misconfigurations that have previously gone unnoticed and can help you to see your systems from a new perspective.
- To find any security gaps
Most companies have at least one set of security tools in place to help keep them safe within the online world. Although these security tools themselves are often reliable and difficult to penetrate they do, on occasion, fail to overlap, leaving gaps which can be exploited by hackers. Penetration testing will help to find these gaps so that you can fill them.
- To test against different types of attack vectors
Attack vectors are the means by which hackers can gain access to a device, such as through an email attachment, a pop-up window or a virus. Many security systems protect against one specific type of attack vector, and many businesses combine security systems in order to gain a more rounded coverage. Penetration testing allows your company to see if it is protected against the many different types of attack vector and to put procedures in place if it turns out that they are still vulnerable to a certain kind.
- To ensure that your security systems are providing value for money
Security systems can be very costly to purchase and implement which means that you want to be able to guarantee that they are delivering everything that they promise too. Penetration tests can sometimes reveal ugly truths about the effectiveness of certain security systems, enabling you to better manage your security budget and re-allocate resources if required. Penetration testing is also often required when seeking investment.
- To help you create a security response policy
In the event of an attack on your business, time is of the essence and it’s important to react quickly to limit the damage done. Penetration testing can provide you with the knowledge you need to improve your security response policy ensuring that the right people are notified in the event of an attack so that action can be taken to secure the breach protect any confidential data.
- To provide you with targets
Penetration testing provides you with valuable metrics that can be used for security benchmarking and the creation of security targets. When conducted regularly you will be able to see how your company is working towards improving their security and whether there are any areas which need further attention.
- To help you fix errors
You can’t fix what you can’t see and with the digital world, it can be even harder to identify any potential errors or faults. Penetration testing brings the good, the bad and the ugly to light helping you to make the changes needed to keep your data safe.
Does your company really need a penetration test?
With so much of business now conducted online, it could be said that really every company needs to consider having a penetration test carried out on their digital systems regardless of their size and the amount of business that they do online. In general, it is recommended that every organisation has a penetration test conducted at least once per year to stay on top of any digital changes, however, it may be necessary to have a penetration test conducted more frequently especially during times of significant business change such as after a merger, following the release of a new product or during customer App development.
What will happen during a penetration test?
During a penetration test, ethical hackers will attempt to penetrate your system using the same real-life techniques used by clever and malicious criminals. These ethical hackers learn the latest in hacking techniques to ensure that they are able to test your system against an ever-evolving world of cyber threats. External penetration tests can be carried out remotely, with the hackers needing no access to your building, however, this will not test the security of your wireless of internal network and so it is advised to also have an internal test conducted. Both external and internal penetration tests can be carried out with very little if any disruption to your normal operations and will not have any adverse effects on business as usual. Once the penetration test has been carried out you will be provided with a penetration test report which will clearly identify any weaknesses in your internal and external systems, whilst also highlighting any changes that could be made to remedy the situation.
Who should carry out the penetration test?
Because penetration testing essentially involves hacking into your own confidential information, it is very important that it is carried out by a trusted party. Some companies choose to hire internal penetration testers, however, most outsource to a third party. Always ensure that your chosen penetration test provider is accredited with CREST and that they use ethical hackers who are Offensive Security Certified Professionals.