Penetration testing (or pen testing) – a legal attempt at gaining access to a protected computer system with the intention of identifying potential security loopholes in that system before cybercriminals do – is an integral part of information security. A pen test will provide an excellent view of the actual security state of an environment as well as the organisations security state.
Dispelling 8 misconceptions
Penetration testing is critical for all types of organisations, especially those that are subject to data privacy laws and regulations. Before conducting penetration tests it is important to dispel several myths and wrong conceptions about the practice.
1. Penetration Testing Is the Same as a Vulnerability Assessment
Vulnerability assessments include identifying and classifying known vulnerabilities, producing a list of prioritised flaws that require attention and recommending ways to fix them. Penetration tests, on the other hand, simulate an attacker’s actions. Results should include a report of how the tester undermined security to reach a previously agreed-upon goal, such as breaching the payroll system.
2. All Penetration Testing Tools Are Created Equal
Many penetration testing tools exist in the market, and testers should use a variety of solutions. However more senior testers also build custom tools to go beyond the normal scope of testing. Obviously, proper testing requires expert skills and lots experience.
3. Automated Security Testing Is Just as Good as Manual Penetration Testing
Many organisations use a blend of automation and human-driven security testing, but to clarify: Automated testing is scanning, not true penetration testing. Both have value, but humans find ways to break systems that machines do not. Experience, creativity, and curiosity are at the core of pen testing, which generally picks up where automation ends.
4. Penetration Tests Only Evaluate Technological Weaknesses
Penetration testing can include social engineering. As such, it is important to establish before testing whether the technology will be evaluated exclusively. In some cases, analysts may be authorised to do more, such as scan social media for exploitable information or attempt to phish sensitive data from users via email.
5. Penetration Testers Must Be Ignorant of the Systems They Target
Both people who have knowledge of the intended target system and those who do not can conduct penetration tests. In fact, people who understand the system can provide additional insights, since they know exactly what to look for.
6. Only Outside Parties Can Conduct Penetration Testing
Penetration testing can be conducted by employees, contractors or other external third parties. Ideally, external testers periodically check the work of internal testers.
7. Penetration Testing Is an Optional Luxury for Big Companies
Some laws and industry standards require penetration testing. Health care providers, for example, conduct tests to ensure that they adequately protect medical data. Meanwhile, any business that accepts or processes credit cards must conform to the Payment Card Industry Data Security Standard (PCI DSS). Penetration test results are sometimes cited as evidence of proper compliance.
8. Penetration Testing Is Always Proactive
Penetration testing can be proactive or reactive. Ideally, tests are performed to help prevent a breach. However, penetration testing during post-breach forensic analysis can help security teams understand what happened and how — information that can also help an organisation prevent similar breaches in the future.
Find vulnerabilities before cybercriminals do
When done right, penetration testing can help organisations identify security flaws before cybercriminals can exploit them. So, don’t be afraid to look for outside assistance: Finding vulnerabilities before they’re in the hands of cybercriminals is a much better investment than cleaning up the mess.
Read more on the difference between a ‘Penetration test, Vulnerability scan and Risk analysis’?