What Is Penetration Testing?
Penetration testing is the process of identifying security gaps in your IT infrastructure by mimicking an attacker. Think about it as quality assurance for your IT security.
Like most people, you probably think that quality assurance for software is both sensible and necessary before you roll out software into production. It’s sensible not because you don’t trust the software developers to do a good job, but because it’s good business practice to ensure that the code works as expected. It verifies that your production systems are secure.
Some penetration testers prefer the term “security assessment” over “penetration testing,” although they relate to the exact same process. Penetration testers are sometimes called the Red Team, a term that comes from the early days of penetration testing in the military, whereas the Blue Team is the defensive team.
If you wonder how penetration testing relates to port scanning and vulnerability management, you’re not alone. Although they are related, they are quite different:
- Port scanning identifies active services on hosts.
- Vulnerability management identifies potential vulnerabilities on systems based on the installed software version of the operating system or applications.
- Penetration testing involves trying to take control over the systems and obtain data.
The differences between the three are easier to understand if you think of your network as a house:
- Port scanning is like counting the doors and windows on the house.
- Vulnerability management is like walking around the house and lists all the doors, windows and locks that are reportedly insecure based on the vendor and model information.
- Penetration testing is like trying to break into the house by picking the weak locks and smashing a window.
Why Penetration Test?
People conduct penetration tests for a number of different reasons:
- Prevent data breaches: Since a penetration test is a benign way to simulate an attack on the network, you can learn whether and how you are exposed. It’s a fire drill to ensure you’re optimally prepared if there’s ever a real fire.
- Check security controls: You probably have a number of security measures in place in your network already, such as firewalls, encryption, DLP, and IDS/IPS. Penetration tests enable you to test if your defenses are working—both the systems and your teams.
- Ensure the security of new applications: When you roll out a new application, whether hosted by you or a SaaS provider, it makes sense to conduct a security assessment before the roll-out, especially if the applications handle sensitive data. Some example applications includes customer relationship management (CRM), marketing automation program (MAP), HR’s applicant tracking system, health insurance providers’ benefits management software, et cetera.
- Get a baseline on your security program: New CISOs often conduct a security assessment when they join a new company to obtain a gap analysis of the security program. This shows them how effective the organization is in dealing with cyber-attacks. These security assessments are sometimes conducted without the knowledge of the IT security team because it could otherwise influence the results.
- Compliance: Some regulations, such as PCI DSS, require penetration tests. Make sure you understand how thepenetration test should be conducted to ensure that you will pass the audit.
- How to Conduct a Security Assessment: Typical steps
- Setting the Scope of a Penetration Test
- External and Internal Security Assessments
- Denial of Service Testing
- How to Safely Conduct Penetration Tests
- In-House and Outsourced Security Assessments
- How to Select a Penetration Tester