Monthly Archives

December 2018

What is a pen test?

By | Blog

A pen test, short for penetration testing, is a simulated cyber-attack on a company’s network performed to identify any potential vulnerabilities and exploit them. It is performed manually by a highly skilled security professional using various tools, techniques and processes to simulate the extent of what could happen under a real attack.

To explain it differently, think about checking if your house front door is locked. If it isn’t, you enter and rummage around seeing what you can take and the extent of damage you can cause. In finding the front door unlocked you have identified a vulnerability and by entering to find personal assets and sensitive information you have exploited it. This is in essence what a pen test performs except obviously the front door is the access to your company’s network and at risk is your data and customer information.

Why have a pen test performed?

Most company networks are designed, built, and maintained by employees that have little to no professional experience in security. Having a pen test performed provides you with a report highlighting points of weakness, the extent of damage that could be caused and a roadmap for security remediation. This resulting report can give you the opportunity to address any issues before they have been exploited by a criminal and peace of mind knowing your “front door” is secure.

Beyond peace of mind, if your business is required to comply with standards, for example HIPAA for healthcare or PCI-DSS for credit card processing, you may have a requirement for a risk analysis to be conducted periodically. A great way to perform this risk analysis is through a combination of a vulnerability scan and pen testing.

Things to consider

  • Pen testing is best conducted by a third-party vendor rather than your internal staff to provide an objective review of the network environment and avoid any conflicts of interest.
  • Pen testing is costly compared to a vulnerability scan for a few reasons. One main factor is a vulnerability scan is automated while a pen test is performed manually by an experienced security professional.
  • To keep cost down, don’t spending a lot of money on low-risk assets that may take several days to exploit.
  • Unlike a vulnerability scan, it is recommended that a pen test be performed once or twice a year.

Next up: What is Mobile Device Management (MDM)

Click here for our previous post, “What is a vulnerability scan”

Here are some items you should discuss when talking about performing a pen test. No need to read further unless you are seriously considering taking

  • What computer assets are in scope for the test?
  • Does it include all computers, just a certain application or service, certain OS platforms, or mobile devices and cloud services?
  • Does the scope include just a certain type of computer asset, such as web servers, SQL servers, all computers at a host OS level, and are network devices included?
  • Can the pen testing include automated vulnerability scanning?
  • Is social engineering allowed, and if so, what methods?
  • What dates will pen testing be allowed on?
  • Are there any days or hours when penetration testing should not be tried (to avoid any unintentional outages or service interruptions)?
  • Should testers try their best to avoid causing service interruptions or is causing any sort of problem a real attacker can do, including service interruptions, a crucial part of the test?
  • Will the penetration testing be blackbox (meaning the pen tester has little to no internal details of the involved systems or applications) or whitebox (meaning they have internal knowledge of the attacked systems, possibly up and involving relevant source code)?
  • Will computer security defenders be told about the pen test or will part of the test be to see if the defenders notice?
  • Should the professional attackers try to break-in without being detected by the defenders or should they use normal methods that real intruders might use to see if it sets off existing detection and prevention defenses?