A penetration test, also known as a pentest, refers to an attack on a computer network intended to find any security weaknesses present. These attacks are self-inflicted, either by an internal team at the company themselves or through a hired third-party, in an effort to better understand the system’s vulnerabilities. When used as part of a full security audit, the knowledge gained from this test can be used to strengthen the system in the event of a future attack from an actual, malicious third-party.
How Does It Work?
While the employees that make up an internal I.T. team are often educated in a range of disciplines, they typically specialise in technical support. Because of this, it’s recommended that you work with a third-party group like Nettitude who has a skilled team trained in exposing the flaws of a security system. To ensure you get the best results, the hackers engaging in the penetration test should have no prior knowledge of the source code or any other information that could leverage their ability to gain access to your system.
The type of feedback that you can expect to receive will be dependent on the amount of information you grant them. You may want to consider limiting the amount of information they have to only public knowledge. You might be surprised at what a skilled team can pull from simply a company address, or other seemingly innocuous details. A good team will employ a variety of different techniques to test your security system. This could range from approaches you initially expected, such as attempting to break into and take down a web application, halting your company’s productivity, to tactics you didn’t anticipate like installing a keylogging system onto a receptionist’s computer so that that they can gain access to internal passwords.
What Are the Benefits?
Experience: Many I.T. departments spend their lives learning how to best prevent cyber attacks and improving security measures for unsuspecting company employees. Very few of them, though, end up with real-world experience dealing with an actual live intrusion. Because of this, a penetration test is best employed without warning, like a fire drill. This way, the process can give those involved valuable experience in how to effectively counter hacker activities, protect your company’s security as it happens, and react to the aftermath. The experience of the event can help to ensure that they don’t repeat the same mistakes in a future attack.
Feedback: As the old saying goes, “to catch a criminal, you have to think like one.” Penetration testers are trained to explore the same paths that malicious intruders would employ. In fact, in some cases, this is from their own experiences on the other side. There have been numerous examples of former hackers being employed at high-profile companies to work on their security systems. At the end of the process, you will receive valuable feedback on which parts of your security system are most at risk from experts in the field. Because these tests are based around real-world effectiveness, you’ll gain insight into realistic exploits a skilled, human attacker would engage in. With this information, you’ll have the data you need on which areas you need to improve upon.
For certain industries, such as those dealing with PCI DSS, it is mandatory to undergo regular penetration testing. Even for those without this obligation, though, the one certainty you can take is that you will learn something. It’s important to remember that there is no such thing as a faultless system, even for the largest of companies. You should instead strive for continuous improvement, rather than perfection.