Penetration testing is a relatively broad subject that can have a range of different meanings. According to some experts, it’s the only way to ensure that your business security is effective against the ever-increasing range of real world threats. Penetration testing essentially means looking at ways in which your systems and/or network could be broken into and then testing them, both to replicate what the effect of a security breach would be for the company, and to work out how easy it is to obtain access.
What does penetration testing look like?
Penetration testing can take many forms. It might involve social engineering attacks or staging a break-in to a network to show that the security breach is actually possible. Testing may rely on white-hat hackers to expose vulnerabilities within the organisation or it may simply be a case of an assessment of factors such as whether software used is out of date. Whatever the method used, the idea behind it is to test vulnerabilities that could be open to cybercriminals to profit from.
Why is penetration testing necessary?
There are two principal reasons why penetration testing can be necessary and/or useful. The first is the simple act of exposing those points within the business that could potentially put data or systems at risk, whether that’s out of date software, unprotected smart devices, physical data centre vulnerabilities or poor security policies and solutions that aren’t sufficient to deal with an attack should it happen. The second reason for carrying out penetration testing is that it can be a useful tool to justify transferring a larger budget allocation to security systems and data protection. Often it takes an attack – real or simulated – to demonstrate to businesses just how much is at stake if the business becomes a target for cyber criminals.
Penetration testing options
As mentioned above, the choice of options for penetration testing are numerous. However, most fall into one of five categories:
Targeted – where the test is carried out by the IT team and anyone can see it happening.
External – testing firewalls, e-mail servers, web servers to see if it’s possible to get in from the outside.
Internal – to demonstrate an attack behind a firewall, perhaps by a disgruntled employee.
Blind – very little information is provided about the testers carrying out the attack to simulate almost real world conditions.
Double blind – virtually no knowledge is provided within the organisation. Useful for testing security monitoring and response.
While there are no guarantees with penetration testing, there is no doubt that identifying vulnerabilities and testing processes provides businesses with more insight and knowledge than simply waiting for an attack to take place and hoping for the best.
