May 20, 2016 • Published by Steve Robb
Network Security • Physical Security • Security Awareness
Your company’s networks are being probed, prodded and attacked countless times every day. Unless you’re watching your logs, you’re likely unaware all this activity is taking place. Awareness, being a critical element of an effective defense, is important to cultivate and nurture.
How do you gain insight into activities which, by design, are tailored to avoid your detection? This is where penetration (aka "pen") testing comes in handy. Pen testing involves hiring a third party to conduct an attack against your company’s computer systems, applications and networks.
In some cases, you may decide to go beyond the electronic world and test physical locations or even target your employees in an attempt to fool or trick them into providing access or information.
Penetration tests expose holes in your defenses, yet they are not to be confused with vulnerability scans or vulnerability assessments, which are distinctly different. In most cases, vulnerability scans only review network-layer vulnerabilities and are limited by the predefined rules for identifying weaknesses.
It’s a solid approach to perform regular vulnerability scans and to address the issues they uncover—especially before you have a penetration test performed—but to rely on vulnerability scans alone is taking a half-hearted approach.
Understanding your security posture is the primary reason to procure a penetration test, but in many cases, there are other drivers. Commonly, organizations perform pen tests to satisfy compliance mandates such as those relative to Payment Card Industry (PCI), HIPAA (Health Insurance Portability and Accountability Act) or Sarbanes Oxley (SOX).
Apart from compliance, pen test results can also serve as a catalyst to action. For example, you may want to test your response teams (internal or third party) to ensure they are making good on their promises. You may also want to support ongoing security initiatives or to raise management’s awareness of existing critical issues.
The overall goal of any pen test is to give you insight into what attackers see when they look at you and to give you an idea of how far they’d get if they got in. With this knowledge, you can shore up your defenses and address the gaps that could otherwise lead to an eventual breach—hopefully before the bad guys get there.
Want to learn how to derive more value from your next penetration test? Check out this recent ControlScan webinar: "Don't Get Pwned Before You Sign: Selecting the Right Penetration Testing Service Company."