Penetration Testing Demystified
January 10, 2014
If you’ve been considering the various technical security assessments available to your organization, then chances are good you’ve heard of a Penetration Test, but do you know whether you need an internal or an external penetration test? How often should these tests be scheduled? What can you expect the test to find?
What is a Penetration Test?
A Penetration Test is a method of evaluating the security of a computer system or network by simulating an attack by a malicious user. Here’s how it works:
During a penetration test, the technical security firm is challenged with taking the position of an attacker to attempt a penetration via previously identified points of weakness. These entry points may have been identified either by the organization or through a vulnerability assessment completed beforehand. The penetration test confirms the legitimacy of the potential weaknesses, and if the attack is successful, the consultant will assess the impact an information security breach could have on the organization, and present the findings along with a detailed proposal for mitigation.
Simply put: the ethical hacker will tell you if you do, in fact, have a problem, and if so, how to fix it.
Internal vs. External Penetration Testing
When considering a penetration test, an organization must decide whether to conduct internal testing, external testing, or a combination of both.
An external penetration test is commonly referred to as “ethical hacking”. The external pen test is performed from “outside” the organization, in a manner similar to the approach that would be used by an actual hacker. Having limited information regarding the network infrastructure, the ethical hacker will garner information from public web pages and attempt to break through any security vulnerabilities that might exist in the IT infrastructure.
Many threats come from within the organization’s firewall – from employees or partners with access to privileged information. These threats, (while often not malicious in their intent,) can have the same damaging results as an external attack from a malevolent hacker. In an internal penetration test, the ethical hacker is given network authorization equivalent to that of an employee or guest user, and will conduct the penetration test from the vantage point of users within the organization’s own network.
Which test is best for you?
If your most common threats are believed to be from the outside (as in most organizations), then an external test is going to be the most effective solution to meet your needs. Once a penetration is achieved, the tester can work from inside the network to find more weaknesses. If your greatest potential threat is from those who are inside your company, then the internal test may be the best place to begin.
Results of the Penetration Test
Following the penetration test, the organization will have a much clearer understanding of the weak areas within the IT infrastructure, as well as how to shore up defenses to protect the organization from a costly, potentially devastating security breach. This thorough test provides answers to the questions raised by the vulnerability assessment, and is an invaluable component of a comprehensive technical security assessment.
Benefits of Effective Penetration Testing
The benefits of this act of corporate due diligence include: protection of the organization’s reputation; protection of data and assets; third party verification; cost justification; customer/client assurance; and validation of existing security measures. A comprehensive technical security assessment, which includes web application assessment and vulnerability assessment in addition to penetration testing, will also help ensure legislative and regulatory mandates are met while risk exposure is reduced.
When to Perform Penetration Testing
Penetration Testing should be performed bi-annually as a part of a comprehensive technical security assessment. As changes in the network environment occur, the potential for new weaknesses develops. The testing schedule should be planned with your technology security firm around vulnerability assessments (quarterly) and web application assessments (at least bi-annually, or as new applications are added.)
Final thoughts to consider
Penetration Tests have the potential to cause interruptions for the daily work routine of your employees. Because of this, you must balance security with convenience. An important factor to consider is whether or not the assessment will hinder your employees, your network, or your infrastructure. Testing has the potential to disrupt normal network operations if the tester is successful. Therefore, it is important to know what protocol the security firm has in place in case the network is compromised. Every information security firm should provide your organization with “rules of engagement” to mitigate the possibility of network interruptions and eliminate any surprises. If you require a less obtrusive method, then a vulnerability assessment may be the best solution for you. However, if your company requires that you actually test these threats and you need a higher level of confidence in your security posture, then a penetration test is the best approach for your company.