Penetration testing is widely regarded as an essential tool to protect organisations from cyber attacks.
The process is essentially a controlled form of hacking in which a professional pen tester, working on behalf of an organisation, uses the same techniques as a criminal hacker to search for vulnerabilities in the company’s networks or applications.
Regular tests are mandatory for organisations that are subject to the PCI DSS (Payment Card Industry Data Security Standard). Meanwhile, although it’s not a requirement, penetration testing is recommended for organisations seeking ISO 27001 and GDPR (General Data Protection Regulation) compliance.
But penetration testing isn’t simply a tick-box exercise. It’s a complex process that requires organisations to hire trusted experts.
Doing so not only gives them a better understanding of their organisational weaknesses but also mitigates the challenges that come with penetration testing. Indeed, if organisations aren’t careful when selecting a penetration, they will run into problems.
In this blog, we look at the benefits of an effective penetration test and the issues that they could run into.
They can identify a range of vulnerabilities
Businesses are exposed to a host of potential threats, and each might be able to exploit hundreds of different vulnerabilities.
Such vulnerabilities are open to potentially devastating attacks, such as SQL injection, and things as apparently benign as error pages can provide attackers with enough information to exploit a less obvious and much more harmful vulnerability.
They can identify high-risk weaknesses that result from a combination of smaller vulnerabilities
Taken on their own, small vulnerabilities may appear negligible, but hackers often seek out these weaknesses to create intrusion sequences that take small, steady efforts to pry open security gaps into much larger weakness.
These gaps are often overlooked by the company or automated security systems, but given that pen testers replicate a hacker’s methods, they will be able to identify such points of entry.
Reports will provide specific advice
The final step of a penetration test is reporting the vulnerabilities.
Unlike automatically generated reports from tools that offer generic remediation tips, reports from penetration tests can rank and rate vulnerabilities according to the scale of the risk and the company’s budget.
Free download: Penetration Testing and the GDPR
Want to know more about penetration testing? Download our free green paper, Penetration Testing and the GDPR, to find out how the testing process fits in with your legal requirements to protect personal data.
- The GDPR’s requirements for security testing;
- Testing to fit security and budgetary requirements;
- Guidance for penetration testing; and
- An example of a GDPR testing regime.
If they’re not done right, they can create a lot of damage
Tests that are not done properly can crash servers, expose sensitive data, corrupt crucial production data, or cause a host of other adverse effects associated with mimicking a criminal hack.
You are required to trust the penetration tester
Penetration testing essentially means that you’re inviting someone to hack into your systems, so you’re relying on the tester not to abuse their skills and knowledge.
If you don’t hire someone you can trust to do the job, your security attempts may backfire spectacularly.
If you don’t employ realistic test conditions, the results will be misleading
Employees are likely to prepare for a test that they know is going to take place, meaning that the organisation appears to be stronger than it actually is.
A genuine attack will come without warning and in ways that are creative and hard to plan for.
Scanning and testing with IT Governance
If you’re looking for experts to help with your vulnerability scans and penetration tests, we are here to help. IT Governance is a CREST-accredited provider of security testing services, with a range of solutions ideal for all organisations.
We offer on-site and remote testing to ensure that you’re able to assess your networks and stay on top of the regulatory requirements in whichever way is most convenient for you.
A version of this blog was originally published on 25 September 2018.