Penetration Testing, also referred to as pentesting or ethical hacking, is a service whereby a security professional is hired to "hack" into your network. In this article, we'll discuss what pentesting is, when you should consider pentesting, and how to use pentesting as part of your security regimen.
What is Penetration Testing?
Pentesting involves hiring a security professional to hack into your network. It's important to understand that pentesting is as much of an art as a science. As such, there are differences in approach and quality in penetration testers. Some penetration testers rely on social engineering to trick employees, while others focus on testing web applications to identify weaknesses in your webapps. Specifically defining – or scoping – your pentest is critical to getting the results you need.
Pentesting is NOT a vulnerability assessment - It is not the job of the pentester to find all the possible weaknesses in your systems. Rather, the pentester's job is to get into your network by any means possible (within scope) and show you how they do it. It's important to remember that a pentest is successful when they find one way in – not every way in.
Types of penetration tests:
- Full-Scope (red team testing)
- Network penetration test
- Social engineering (e.g., phishing, smsishing, phone call attacks)
- Web Application Pentest (specific for a web application)
- Physical Pentest (Breaking into facilities)
There are also variations on each of these types. For example, it's common to do a full-scope without a physical pentest.
When should I consider a pentest?
Pentesting is a highly-skilled professional service that comes with a price tag. Ensuring that you get the most out of a pentest is critical and is something often overlooked.
Pentesting is used to test the results of your existing security program. If you don't have an existing security program, don't waste your money on a pentest (yet). First, we recommend a security risk assessment, combined with vulnerability assessments, to understand your current security posture. Then, after fixing (or otherwise addressing) the vulnerabilities found, you can consider hiring a penetration testing firm.
Prematurely hiring a pentester can help prove to management that security is necessary, but it will provide very little in terms of sustainable cybersecurity improvements.
How do I use pentesting for long-term security?
Pentesting is part of the overall security solution, not the complete security solution. We recommend scheduling a pentest once a year, following an annual security risk assessment. When reviewing the results of a pentest, it's tempting to simply fix the flaw that allowed the pentester to "get in," however, it's also wise to look at the root causes of any breaches. Common questions to ask include: Was it a lack of email security? Network security? Should this be in your risk assessment? Do you need to invest more?
In summary, a penetration test can be used to enhance your security program when used properly. Resist the temptation to hire a pentest company before doing basic cybersecurity first. Then, after the test, make sure to use the results and the findings to enhance your understanding of your overall cybersecurity posture.
For more information on this topic, please reach out to us; we're here to help!