Cyber attacks are cheap to conduct, but expensive for organisations that are hit by them. Botnets can be hired cheaply, hacking software is readily available, and even those without technical or practical knowledge can purchase attacks as a service.
Attacks can cripple a company’s systems, they can lead to large fines and reputational damage, and the low investment necessary to conduct an attack means that no business is too small to be targeted.
That is where penetration testing (‘pen testing’) comes in. It is essentially a controlled form of hacking in which a professional pen tester, working on behalf of an organisation, uses the same techniques as a criminal hacker to search for vulnerabilities in the company’s networks or applications.
Penetration testing is widely acknowledged as an important part of cyber security (it is, for instance, a requisite part of a number of regulatory standards and compliance schemes), but, like any security mechanism, it is not perfect.
We’ve outlined some of the most important pros and cons of conducting penetration tests.
- They can identify a range of vulnerabilities
Businesses are exposed to a host of potential threats, and each might be able to exploit hundreds of different vulnerabilities.
Such vulnerabilities are open to potentially devastating attacks, such as SQL injection, and things as apparently benign as error pages can provide attackers with enough information to exploit a less obvious and much more harmful vulnerability.
- They can identify high-risk weaknesses that result from a combination of smaller vulnerabilities
Taken on their own, small vulnerabilities may appear negligible, but hackers often seek out these weaknesses to create intrusion sequences that take small, steady efforts to pry open security gaps into much larger weakness.
These gaps are often overlooked by the company or automated security systems, but given that pen testers replicate a hacker’s methods, they will be able to identify such points of entry.
- Reports will provide specific advice
The final step of a penetration test is reporting the vulnerabilities.
Unlike automatically generated reports from tools that offer generic remediation tips, reports from penetration tests can rank and rate vulnerabilities according to the scale of the risk and the company’s budget.
Free download: Penetration Testing and the GDPR
Want to know more about penetration testing? Download our free green paper, Penetration Testing and the GDPR, to find out how the testing process fits in with your legal requirements to protect personal data.
- The GDPR’s requirements for security testing;
- Testing to fit security and budgetary requirements;
- Guidance for penetration testing; and
- An example of a GDPR testing regime.
- If they’re not done right, they can create a lot of damage.
Tests that are not done properly can crash servers, expose sensitive data, corrupt crucial production data, or cause a host of other adverse effects associated with mimicking a criminal hack.
- You are required to trust the penetration tester.
Penetration testing essentially means that you’re inviting someone to hack into your systems, so you’re relying on the tester not to abuse their skills and knowledge.
If you don’t hire someone you can trust to do the job, your security attempts may backfire spectacularly.
- If you don’t employ realistic test conditions, the results will be misleading.
Employees are likely to prepare for a test that they know is going to take place, meaning that the organisation appears to be stronger than it actually is.
A genuine attack will come without warning and in ways that are creative and hard to plan for.
Scanning and testing with IT Governance
If you’re looking for experts to help with your vulnerability scans and penetration tests, we are here to help. IT Governance is a CREST-accredited provider of security testing services, with a range of solutions ideal for all organisations.
We offer on-site and remote testing to ensure that you’re able to assess your networks and stay on top of the regulatory requirements in whichever way is most convenient for you.
A version of this blog was originally published on 25 September 2018.