Often called ethical or white-hat hacking, pen testing is the practice of using the same tools and techniques as cybercrooks to expose any weak security links in your systems and services.
What is it?
A penetration test can help determine whether the system is vulnerable to attack, if the defenses are sufficient and which defenses (if any) the test has defeated.
A pen test looks to infiltrate a target system and achieve a predefined set of goals or scenarios. These organized attacks are commonly described as a white box (where some system knowledge is known in advance, which might simulate information given by an inside informant) or a black box (which makes no assumptions about internals but will scan for known vulnerabilities). A gray box penetration test is a combination of the two (where some necessary information might be known or assumed from the type of company and how it is deployed).
Security issues that the penetration test uncovers are reported to the system owner. Historically tests of this nature are done during an acceptance testing phase before a system or upgrade goes live. However, we strongly recommend that this practice is done throughout the development lifecycle, both in near-live and fully operational conditions.
What’s in for you?
A business cannot use ‘hope as a strategy’ anymore to prevent cybercrime. Neither is it merely a question of using virus checkers and a firewall. Using penetration testing regularly throughout your systems’ lifespans and continually upgrading your strategy, pen testing can form a vital part of your risk management toolkit.
Pen testing can reduce the risk of disruption or worse to your business-critical systems and those that deal with sensitive customer information.
What are the trade offs?
Penetration testing can be time consuming and costly. You need to strike the right balance between those costs and the business value of those systems.
Many existing pen testers and practitioners are used to the ‘security sandwich’ approach, where requirements are laid out at the start of a project, and it is then tested at completion. We view this as a mistake.
By making pen testing a part of the development and deployment process, as well as throughout its lifecycle, you can reduce your risks of breaches. This, however, requires a change in the engagement model with pen testing specialists, who have to work much closer to the systems and prove their degree of safeness.
How is it being used?
It is used to protect internal systems by finding problems in advance, allowing mitigation to occur. We recommend that this be done in an ongoing and flexible fashion, feeding any faults found in the appropriate team’s backlog.