Let’s say you’ve already invested a fortune on network security. How do you determine that investment’s effectiveness in preventing a data leak or withstanding a deliberate cyber attack? Your best option would be to conduct a penetration test or pen test.
What is penetration testing?
Penetration testing is a cyber security exercise meant to identify vulnerabilities in your network as well as support risk assessment and prioritisation endeavours. It’s typically carried out by “aggressors”, often called the Red Team. They’re the ones who conduct penetration tests against the controls put up by your cyber defense team, sometimes known as the Blue Team.
Penetration testers mimic real world cyber attacks, so they’re also armed with both the skills and tools for hacking into a corporate network. They employ a variety of tools like Metasploit, Wireshark, Nmap, and many others, but also write their own scripts or issue commands through the command line.
Reasons for conducting pen tests
Pen testing has a number of operational and business benefits. It can help your organisation:
- Determine the efficacy of both your network security and the people who manage it;
- Identify vulnerabilities that may be missed by automated vulnerability scans;
- Gain valuable insights for future security investments and initiatives;
- Arrive at a more accurate estimation of the potential impact of perceived threats;
- Collect information needed in prioritising vulnerabilities, threats, and risks; and
- Pinpoint attack vectors that are most likely to succeed.
Without a penetration test, it would be difficult to know whether, for instance, your firewall network security or Cisco network security has already been configured optimally. Pen test results can provide guidance for fine tuning your proxies, firewalls, DLP (data loss prevention) systems, IDS (intrusion detection systems), and other security assets.
Some regulations like PCI-DSS actually require covered entities to conduct pen tests regularly, so, in some cases, you really need to do it to achieve compliance.
Because the results of a penetration test can help you optimise your IT assets and controls, streamline your security policies, and plan for future security acquisitions and programs, it can substantially bring down the risk of a data breach, DoS attack, and other forms of cyber threats.
Penetration testing vs vulnerability scanning vs port scanning
Penetration testing is often confused with vulnerability scanning or sometimes even port scanning. They’re not the same thing.
Port scanning is usually a software-generated scan of your network to find open ports. These are logical points in your system that accepts connections and are often used as entry points by attackers. Vulnerability scanning, on the other hand, is a scan meant to discover a wide range of network, OS, and application-level vulnerabilities.
Pen testing is a more comprehensive set of processes that involve both vulnerability scanning and port scanning. A pen tester would typically conduct port and vulnerability scans first and then exploit whatever open ports and vulnerabilities are discovered from those scans.
One major benefit of doing a penetration test is that it’s able to incorporate the human factor. Although employees are not part of the physical network per se, they can substantially impact the effectiveness of network security.
No matter how stringent your security policies are on paper or how state-of-the-art your security assets are, if the people who interface with your network have not been trained or educated enough in matters of information security, your network can still be compromised.
A complete penetration test would include social engineering attacks, which are aimed at the people manning and using your network. Social engineering attacks may involve phone calls, phishing or spear phishing emails, web-based attacks, and even on-site visits wherein the pen tester would attempt to gain physical access to critical network devices.
Conclusion and considerations
Once you’re done setting up network security solutions, hardening your servers and network devices, drawing up a set of security policies, and briefing your employees regarding those policies, your next step would be to test how well your network can now fare against a real world attack. You’ll find that out through a penetration test.
Because of the nature of these activities, poorly planned and executed penetration tests can be disruptive and sometimes even destructive. So make sure you choose reputable and highly skilled professionals who can be trusted and really know what they’re doing.