What is Penetration Testing? A Look at The Security Tactic You Should Never Skip

When you think about network and cybersecurity, you’re probably considering of all the ways businesses try to keep bad guys out of a network: firewalls, virtual private networks (VPNs), encryption, and the like. Building up the defenses around a network can create deterrents for hackers—measures that slow them down, but aren’t guaranteed to keep them out.

Penetration testing takes a different, more offensive tack. By deliberately letting a professional hack into a network, businesses can locate where and how break-ins may occur, then proactively patch those weak spots. Here’s a look at how it works, why and when you might opt to pentest your network, and how you can partner with a remote penetration tester to get better insight into the health and security of your network.

Beyond Just Picking Locks: An Overview of Pentesting

Think of a network like a private residence. Locks, security fences, and alarm systems are basic ways to keep unwanted visitors out. Networks aren’t any different, with preventative measures and network intrusion detection systems (NIDS) to notify of breaches.

Now, imagine a home security expert is hired to assess the quality of their security and writes up a report of areas to improve. That’s the same as vulnerability assessment.

Taking that a step further, imagine the homeowner hires a professional thief to use every means possible to break in. Maybe the thief uses social engineering to get through the neighborhood gate, hacks into the home WiFi network to disable security cameras, uses glass cutters to access deadbolts, and even manages to crack a safe. That’s the equivalent of penetration testing—leaving no stone unturned so the resulting security program is as airtight as it can be.

When and Why to Engage a Penetration Tester to Hack Your Network

In our article Ethical Hacking: Why You Should Hack Your Own Network, we discussed the benefits of proactively probing your network and systems for weaknesses like helping to prevent a data breach or heading off a business-halting DOS attack. It’s crucial to leave no stone unturned, especially as you add more components and networked devices to your system—even something as small as an IoT device like the networked, smart thermometer in a casino lobby fish tank that recently gave hackers access to a high roller database.

Here are some other reasons to consider penetration testing in particular.

  • You’ll make more educated decisions about which security systems to invest in. A pentest can tell you what security features you need and those you don’t. It can give you a baseline of your security strengths and weakness so you can allocate funds for improvements you need, not those you don’t.
  • Get better visibility into how your infrastructure works and how its components communicate with one another. It’s easy to think you know exactly how your system’s modules interact with one another, but it’s not uncommon for many business owners to have some major misconceptions of what’s actually happening behind the scenes. A pentest should make a systems inner workings more transparent, and thus easier to protect.
  • Test the security of a new system before pushing it live. Just as you’d test an application for bugs before submitting it, you’ll want to make sure a system is airtight before pushing it into production. Note that this might require you to give a remote pentester access to these development environments, whether that’s by VPN or whitelisting their IP address.
  • Test the efficacy of your security controls—and your security team. Does your NIDS successfully pick up the penetration test? Did your security team pick up on the breach?
  • Make improvements proactively, on your own terms—not in the panicky, knee-jerk wake of an actual attack. You’re more likely to save on security spending when you’re proactive, too.

Tip: Don’t forget to consider any of your cloud-based components and third-party providers. If you host any of your systems or data in the cloud, you’ll want to incorporate these into your test, which may require notifying them of the pentest ahead of time. They’ll likely have their own security measures, but it’s good to test the integrations from your end if possible.

Internal vs. External Pentesting

While some organizations have their own internal penetration testing teams who regularly run security audits and know systems inside out, there are certain instances where a third-party penetration consultant isn’t only beneficial, it’s necessary. An internal pentester knows what the sensitive assets are and where they’re located, as well as who and what the “easy targets” may be.

An external consultant is a best bet for a business without an in-house pentester, but they also offer additional benefits. For example, their unfamiliarity with your system means they might catch vulnerabilities someone who knows the system intimately could miss. Also, their objectivity and breadth of experience with a wide variety of systems may mean they’ll have an eye out for common vulnerabilities they’ve come across elsewhere.

Tip: If you’re engaging a remote pentesting consultant or agency, it’s important to treat them as a partner and communicate well during the process. Any information you can give them upfront to speed up the process, the better. Also, make sure your in-house developers are aware of the test so they’re not fixing deliberate bugs planted by a pentester before the pentest is complete.

Ready to put your network security controls to the test with a round of penetration testing? Create a pentest job post to get started today.

Author: Carey Wodehouse

Copyright © 2018 MINDSCULPT.ME