Penetration testing
Sure, you’ve got your firewall – but is your business really safe from cyberattacks? Davey Winder explains how penetration testing can find the chinks in your armour
Penetration testing? Sounds… intrusive.
A penetration test – or “pen test” in security jargon – is a simulated attack on your systems, commissioned by you in order to find out how good your infosecurity posture really is. Beyond that, there’s no strict definition of what’s involved – so if you think this sort of exercise could benefit your business, it’s important to start by defining your goals, and what you hope to do with the results. For example, are you worried about keeping hackers out or are you more concerned about vulnerabilities that could be exploited in order to access your data? How deep do you want to go, and how much time and money are you prepared to invest in mitigating any risk uncovered? There are a lot of questions to address.
I wasn’t expecting the Spanish Inquisition!
Nobody expects the Spanish Inquisition, but to get the best from a penetration test you need to set strict and specific parameters. If you were hoping to ask the testers to simply “see what they can find”, you may well discover that what comes back overlooks issues that are critical to your business.
Who are these testers? Is it safe to deal with hackers?
These aren’t hackers – they’re highly trained security professionals. If you must use the word, I guess “ethical hacker” or “white hat hacker” might fit, but “security consultant” is better.
Still, you’re right to raise questions of trust. When it comes to pen testing there are two recommended courses of action: you could use a service with a good pedigree of recommendations from previous customers, or you could select an agency that only uses testers who are accredited by an industry certification body called CREST ( crest-approved.org). This ensures that they have passed rigorous certification exams and signed up to enforceable codes of conduct.
What actually happens in a penetration test?
As we’ve noted, it depends on exactly what you have commissioned. Typically, though, pen testers perform both external tests, which target the servers and hardware that any hacker would be able to see, and internal tests, which simulate what would happen if those hackers made it past the perimeter and got inside your network – or if an employee wanted to cause trouble. Both approaches can be revealing and combined they can provide a good indication of your real-world security position.
Won’t this disrupt my business?
Not at all. An external test may be almost invisible (although, if you have a good security infrastructure, it will hopefully flag up any suspicious connection attempts). An internal test needn’t be much more invasive: the tester simply requires access to your network so they can mimic the actions of a hacker.
If that makes you nervous, remember that the testers are looking to expose vulnerabilities, not to exploit them. No data will be compromised, no systems will be interrupted and no damage will be done.
We already perform our own vulnerability scanning; isn’t that enough?
Vulnerability scanning has its value, but it will only give you limited information regarding configuration errors and vulnerabilities. Penetration testing is much more active and probing – and a lot more revealing. Not only does it involve more rigorous and wide-ranging tests, you can also expect to come away with detailed information and advice that’s specific to your business and context.
How long does a pen test take?
Again, it depends on what you have asked the testers to do: tests can take as little as a few hours or last as long as a few weeks. Just remember that the pen testers’ work isn’t over when they log out or discontinue their simulated attacks; further time is needed to produce a vulnerability report, after which your business will need time to digest its findings and respond as needed. Indeed, there’s a good chance that you will want to involve the testing agency in remedying any issues discovered.
In the end, however, the decision is yours. Focus on what needs fixing urgently and be realistic about what’s a long-term goal, or what might not be worth fixing at all given the risk analysis for your business. The value of pen testing is that it gives you the information you need to make these decisions.
“You can expect to come away with detailed information and advice that’s specific to your business and context”