Penetration tests - What are they and do I need one?

Penetration (pen) testing is the practice of testing a computer system, network or web application, to find vulnerabilities that an attacker could exploit, identifying the likelihood of a successful attack against an organization's IT assets.

Getting a pen tester to attempt to breach your network is the ultimate test of your defences and will give you a clear picture of where and how a hacker could potentially gain access to your system.

A pen test follows a carefully selected set of tools and techniques that will examine an IT system for weaknesses, resulting in a report highlighting all of the security issues and vulnerabilities identified on specific assets.

To identify the vulnerabilities present a pen test often includes offensive testing techniques against a pre-defined scope of assets; including but not limited to web applications, externally facing networks and hosts, internal networks, network devices, cloud infrastructure, mobile applications and APIs.

Given the commoditized nature of pen testing, it is imperative for organizations to employ an accredited and globally recognized partner of choice. CREST-approved providers of pen testing have skilled ethical hackers who are trained to replicate the mind of a malicious attacker and use an exhaustive set of tools to perform and imitate this mindset. CREST approved members also offer a wide range of pen testing services covering all aspects of organizational security, such as infrastructure, web applications, social engineering and, of course, mobile. They use a risk-based approach to assess systems from an attacker's point of view, as well as against industry best practices.

The goals and outcomes of a pen test:

• Determine feasibility of a particular set of attack vectors
• Identify any vulnerabilities which are present, including any that are high-risk which result from a combination of lower-risk vulnerabilities exploited in sequence
• Identify weaknesses that may be difficult to detect with automated vulnerability scanning software
• Assess the potential impacts of a successful attack on an organization
• Justify increased investment in security personnel and technology

Pen testing forms a large element of cybersecurity efforts in organizations due to the value that the results provide. It gives the organization a stable and measurable output relating to the security posture at a specific point in time. Pen tests are an important part of a full security audit, for example, the Payment Card Industry Data Security Standard (PCI DSS) requires pen-testing on a regular basis and after any system changes.

In saying that, traditional pen testing has its limitations. Continual improvement is the key to staying on top of new threats. A pen test report only reveals the state of your vulnerabilities at a particular moment in time in an environment that is constantly changing. A regular testing program to keep up to date with new malicious vulnerabilities and compliance requirements is advised.

Objective-oriented pen testing and red teaming are other types of assessments that can further enhance the security posture of your organization.