Penetration testing: Do you need it?
In 2015, American businesses lost a total of $525 million to cyber attacks. Globally, that number shoots into the billions.
The risks of malicious cyber attacks have become more costly and more real. But there are steps you can take to ensure your network, devices, and data are as secure as possible. One of the best ways is penetration testing, in which you simulate attacks to uncover not only the weak points in your security, but the potential damage hackers could inflict through those vulnerabilities.
Some industries require penetration tests as part of compliance; others do them voluntarily. In either case, there are guidelines such as readiness, type, and value that need to be considered before moving forward.
Adversarial and nonadversarial: What to consider
Two kinds of penetration tests exist: adversarial and nonadversarial. The latter is typically more communicative and open; the testers request approval before they move forward with exploiting or remediating a vulnerability within your system.
A nonadversarial approach allows testing without disrupting production systems or flooding databases with unclean or dirty data. That way, everything operates as normal for users and customers for the duration of testing—which can last up to weeks in some cases.
An adversarial approach is best used to test your team’s response to a true cyber security incident. It not only uncovers weaknesses in security controls, but whether your team will follow the internal security program. Do they stick to the process? Do they detect the attack within the right time frame? Do they notify everyone that needs to be notified? Do they perform the appropriate actions?
In either case, it’s important to have a touch point within the company. Even in an adversarial penetration test, you want someone within the company to have some knowledge of where, when, or how the test will occur, so that you can detect and fix system issues that are unrelated to the testing.
It’s possible to run a penetration test yourself, but in many cases it’s helpful to get a third party to look at the work, since this allows a fresh pair of eyes to review the system.
Are you ready for penetration testing?
Certain organizations—credit card merchants, for example, or health care providers—may require penetration testing as a compliance requirement once a year. In many other cases, however, penetration testing is your choice. If this is the case, it’s important to make sure your security program is formalized beforehand in order to get the full benefits. Ask yourself:
- Are you patching your systems?
- Are you running vulnerability scans to look for misconfigurations?
- Do you have a policy and process framework in place?
- Do you have a change management program in place?
If the answer to any of these questions is no, a penetration test loses its effectiveness, since you already know what it will find. But after these components are established, repeat penetration testing once a year to check up on your systems.
When penetration testing isn’t valuable
Penetration testing isn’t always the best way to expose a particular weakness. For example, some forms of penetration testing include emailing employees a harmful link or exploit to show what would happen if they opened a harmful attachment.
This form of test, along with phishing, telephonic pretexting, and brute force authentication, probably won’t reveal anything new about your security if its fundamental components (systems patches, vulnerability scans, etc.) are properly in place. You’ll just be reminded that employees can be vulnerabilities—something most people know without investing in a penetration test. Instead of wasting valuable time on such a tactic, training your employees in proper password management and email practices could yield more effective results.
Consider your options
Penetration testing is a helpful tool for figuring out just how secure and prepared your network is, but make sure you choose the best method for your business. Depending on your budget, timeline, areas of concern, or other circumstances, you may want to choose one form of penetration test over another, or hold off on penetration testing until your security practices have fallen into place.
If you have any questions about whether penetration testing is right for you, contact your account executive today.