THE 411 ON PENETRATION TESTING
Organizations everywhere are being asked to build a stronger security posture to protect their company data. There are many aspects to doing this and they are different for every organization. One way to determine the gaps in your current security posture is by performing something called a penetration test.
A penetration test, also commonly called a pen test, is the practice of performing cyber attacks against your own IT systems in the same way a hacker would to identify security holes. The results of these tests can allow you to think like a hacker and take proactive measures to prevent actual cyber attacks before they occur.
Several regulatory compliances and standards recommend and/or REQUIRE pen tests. Some examples include PCI, SOX, HIPAA, GLBA, FISMA, NIST, DFARS etc. PCI-DSS regulations mandate both an annual and ongoing penetration testing after any system changes. SOX and HIPAA also require an annual penetration test. Similar provisions are requested by data protection standards such as GLBA, FISMA, and OWASP. Standards such as the NIST Cybersecurity Framework and ISO 27001 also have pen testing in their guidelines. Any companies working with customers and/or third parties in the EU must comply with the GDPR which recommends regular testing to assess the resilience of applications and critical infrastructure. Noncompliance with these and several others could result in unwanted fines or penalties. Penetration tests, therefore, help comply with regulatory bodies.
Even if you’re company isn’t required to follow any government or industry cybersecurity requirements, you should still work towards maintaining a strong cybersecurity posture. Regular penetration testing is necessary to achieve this. It is important to understand the liability you have if your network were to be breached so you can formulate a proper security plan for your organization. Insights provided by the penetration test can be used to fine tune your security policies and remediate detected vulnerabilities.
Penetration testing should be conducted – at the least – on an annual basis. It’s important to understand that pen testing is not a one-time task. Networks and computer systems do not stay the same for very long. As time goes on, new software may be deployed and changes may be made. These factors generate the need for regular testing and retesting. It is important to take into account your organizational size, budget, compliance requirements, and infrastructure to get a precise answer on the frequency of testing for your organization.
Penetration testing should always go hand-in-hand with vulnerability scans. Vulnerability scans will help uncover the vulnerabilities and potential breach points in your network. A penetration test would then attempt to exploit those vulnerabilities to gain access to valuable internal resources and systems. Both pieces of the puzzle are important and also very different.
Once you are at the penetration testing portion of your security protocol, there are different levels of testing that can be performed. You can utilize automated tools to try to exploit vulnerabilities found by a scan or otherwise identified by a security expert. These tools can run both static and dynamic exploit procedures in attempt to gain access through a breach point.
Vulnerability scanning and penetration testing are both critical to a comprehensive security strategy. They are powerful tools to monitor and improve an organization’s network environment. These tests are not one-size-fits-all. Ultimately, understanding your line of business is fundamental to successful security testing.