What is a Penetration Test?
A penetration test is an attempt to safely exploit your IT systems to help determine whether they are vulnerable to attack. The scan identifies whether the defences are sufficient, and will identify any defences that were defeated by the test. A penetration test is most effective when both an external and an internal scan are carried out.
Why do I need a Penetration Test?
A penetration test will enable Securious to provide guidance around the vulnerability, impact, threat and the likelihood of a breach within your organisation.
Penetration tests are often required for regulatory compliance and are a requirement for PCI DSS and Cyber Essentials Plus.
They will provide an organisation with reassurance as to how vulnerable they are to a cyber attack.
Sometimes system administrators may not be aware of vulnerabilities or weaknesses in your systems and a penetration test will provide reassurance that your business and valuable date are safe.
A penetration test will also identify whether your critical data could be easily accessed and this will help identify the potential impact on your business of a successful attack.
Organisations where a Penetration Test be suitable for
A full security audit would include penetration tests as a key component.
It is often a regulatory requirement, for example the Payment Card Industry Data Security Standard requires penetration testing on a regular schedule, and after system changes.
Cyber Essentials Plus also requires internal and external vulnerability tests to achieve this higher security standard.
What happens during a Penetration test?
The penetration test will try a series of attacks in a ‘safe’ form of malware (dummy files) to identify if they could work in your systems.
The process will test the ability of your system defenses, such as anti-virus, anti-malware etc. to detect and respond to attacks.
Often it is the combination of a series of weaknesses in your systems, which allow attacks, rather than a single vulnerability. The test would combine a series of lower risk exploits or attacks, in a particular sequence, to determine if they would have any effect.
The penetration test findings are then detailed in a report which will identify where additional resources need to be applied to protect your systems.
What is an external scan?
An external scan is usually carried out away from your site, and would look at how accessible your systems would be to someone outside your organisation gaining unauthorised entry.
This shows how vulnerable your network would be to both automated (generally 80% of threats) and targeted attacks.
Open ports not in use, are often found by automated Internet scanning tools used by attackers, and give them opportunities to access your systems undetected, so a penetration test would help to identify these so that you can secure them.
What is internal scan?
An internal scan has to be carried out on your premises. It is effectively a test of how vulnerable your data would be if someone actually gained access and how susceptible your systems would be from malware and virus attacks, or theft of valuable or sensitive data.
It will also identify software or devices that have not been updated with latest releases to fix system bugs etc., and are, therefore, more vulnerable to attacks.
How often should we test?
Penetration testing should be performed on a regular basis. This ensures that you can detect and reveal any newly discovered threats or emerging vulnerabilities that may lead to a system compromise by attackers.
Furthermore, penetration tests should also be carried out whenever:
- Significant changes to your infrastructure have taken place;
- Additional locations or branch offices are opened;
- You suspect or have fallen victim to an attack.
Benefits of pen testing
By actively identifying vulnerabilities, you help protect your environment from malicious attacks, and you will be better placed to react to mitigating the critical threats.
The recovery from a breach can cost well into the thousands and for SME’s it could put you out of business. You are well positioned by regular pen testing to identify and address these risks before a breach occurs.
Penetration testing is a common requirement for a number of compliance programs. The evidence gathered and reported from the test is proof that your company meets the necessary security controls within your business.