Penetration testing: An ounce of prevention is worth a pound of cure

18. November 2016

Nothing epitomizes the saying, an ounce of prevention is worth a pound of cure, better than penetration testing in today's connected world where we live in the midst of danger. All manner of crooks and kooks roam the world wide web looking for the slightestchink in your network armor to invade, steal valuable information or just make your life a nightmare for sport. Dealing with the consequences of a system hack can be very costly. Penetration testing ensures this never happens.

So, let's begin by defining what a penetration test is and what it can do for your system. To put it in perspective, it is worth noting that regular maintenance of any system, from checking the oil in your car to updating your phone or even taking your vitamins, ensures the system is running at optimal levels. The same applies to penetration testing. The benefits of a penetration test are that you avoid cyber attacks and defend your network.

Without going into too much techno-babble, a penetration test is a security assessment. The security tester pretends to be a bad guy and attempts to get into your system. The techniques used mirror those used in the real world by real cyber crooks. During the test, the tester gathers security information and once the test is complete, any vulnerabilities identified are reported to the system owner. This report is then used to improve security and ensure a real attacker never exploits the vulnerabilities.

It is also important to note that it is always best to have an external professional conduct the test as opposed to an internal employee. Internal employees have a tendency to become predictable and less effective since their knowledge of the internal environment prevents them from seeing things from a different perspective as a real attacker undoubtedly would.

A penetration test can be performed at different levels. At its most basic, the test can be carried out against public-facing network infrastructure. This would include; websites, VPN, webmail and so forth. These would be tested to see how an external attacker might get access to the system.

To have a more comprehensive picture of an organization's security, an internal penetration test would be needed. This test is a bit more complex as the attack simulation would need to test how a malicious insider would get access to critical portions of the system. It would also simulate an attack from someone who has breached the perimeter. The test details the effectiveness of:

It is rather unfortunate that many businesses have ignored the insider threat and only focus on external penetration testing. Modern attacks have grown in complexity and while an internal penetration test is not to say that insiders should not be trusted, it is an excellent way to strengthen internal security controls. Improving internal controls can mitigate the risk malicious insiders pose and external attackers that manage to breach perimeter defenses.

In both these examples of penetration testing, an additional factor is usually considered during planning the scope of the test. In both scenarios, the client must decide the amount of advance knowledge they want to give the tester. This is done to see what an attacker with similar knowledge about the system might be able to do.

There are many aspects of penetration testing that can't be covered in a single article, they include; social engineering, adversary simulations, red teaming and much more. The most important takeaway is that penetration testing is the most effective method to find exploits in your system before someone with nefarious intentions does.