It might sound crazy to the uninitiated, but organisations across the globe pay people to break into their systems and find sensitive information.
The reason they do this is simple: to catch a thief, you must think like one. Organisations hire ethical hackers, otherwise known as penetration testers, to make sure they have someone who’s one step ahead of the tactics that crooks use.
What is penetration testing?
Penetration testing is essentially a controlled form of hacking, in which an expert working on behalf of an organisation, probes its networks and applications to look for weaknesses that a cyber criminal could exploit.
Armed with this knowledge, the organisation can implement appropriate defences to mitigate the risks or close off the vulnerability altogether.
Free PDF download: Penetration Testing and ISO 27001
How does penetration testing work?
Penetration testers often exploit system misconfigurations, send the organisation’s staff phishing emails or breach the physical perimeter.
As the threat landscape has evolved, penetration testers are sometimes commissioned to commit long-term cons. They will watch and analyse an organisation, looking for patterns that can be exploited.
One method they might use is to leave removable devices containing malware in a public area to see if an employee plugs it into one of the organisation’s computers.
Are you required to conduct penetration tests?
Any organisation that’s subject to the PCI DSS (Payment Card Industry Data Security Standard) is legally required to conduct penetration tests at least annually and after any significant changes to your network or applications.
Although penetration testing isn’t referred to specifically in other information security laws, it’s widely accepted as an integral part of an effective defence.
Tests should be carried out at similar intervals if you wish to remain compliant with ISO 27001, and they are in all likelihood part of the “appropriate technical and organisational measures” you must take to comply with the GDPR (General Data Protection Regulation).
Benefits of penetration testing
There are many reasons to conduct a penetration test. For example:
- They can identify a range of vulnerabilities
Businesses are exposed to a host of potential threats, and each might be able to exploit hundreds of different vulnerabilities.
Such vulnerabilities are open to potentially devastating attacks, such as SQL injection, and things as apparently benign as error pages can provide attackers with enough information to exploit a less obvious and much more harmful vulnerability.
- They can identify high-risk weaknesses that result from a combination of smaller vulnerabilities
Taken on their own, small vulnerabilities may appear negligible, but hackers often seek out these weaknesses to create intrusion sequences that take small, steady efforts to pry open security gaps into much larger weakness.
These gaps are often overlooked by the company or automated security systems, but given that pen testers replicate a hacker’s methods, they will be able to identify such points of entry.
- Reports will provide specific advice
The final step of a penetration test is reporting the vulnerabilities. Unlike automatically generated reports from tools that offer generic remediation tips, reports from penetration tests can rank and rate vulnerabilities according to the scale of the risk and the company’s budget.
Limitations of penetration testing
There are, of course, some problems with penetration testing – particularly senior management’s reluctance to hire someone to break into their organisation. They will often argue that it’s asking for trouble, and you can never be sure whether the tester might abuse their power.
Although that’s feasibly an option, it’s highly unlikely if you hire a qualified professional. They are bound by codes of ethics to act responsibly, and if there’s even a suspicion that they’ve acted maliciously, they could jeopardise their entire career.
You should be more concerned about the effectiveness of the test. For example, if they’re not carried out properly, they can crash servers, expose sensitive data, corrupt crucial production data, or cause a host of other adverse effects associated with mimicking a criminal hack.
Likewise, if you don’t employ realistic test conditions, the results will be misleading. If you tell employees exactly when the test is going to occur, they will probably act a lot more vigilantly than usual.
Reliable penetration tests with IT Governance
You can be sure your organisation is in safe hands when you conduct a penetration test with IT Governance.
Our team of CREST-accredited consultants will apply robust methodologies to provide you with the technical assurance you need. We can deliver a realistic and targeted appraisal of the current state of your security and the risks attackers pose to your business.
So, which penetration test is right for you?
The objective of network penetration testing is to identify security vulnerabilities in how an organisation connects with the Internet and other external systems. This includes servers, hosts, devices and network services.
If an organisation’s interfaces aren’t designed correctly, criminals will be able to enter the network and perform malicious activities.
The objective of web application penetration testing is to identify security issues resulting from insecure development practices in the design, coding and publishing of software.
Applications are a vital business function for many organisations, being used to process payment card data, sensitive personal data or proprietary data.
The objective of wireless penetration testing is to detect access points and rogue devices in an organisation’s secured environment.
The objective of phishing and social engineering penetration testing is to assess employees’ susceptibility to break security rules or give access to sensitive information.