Unlocking the potential of penetration testing

Today we examine the lesser known uses for penetration tests and explore the options you may not have considered.

Penetration (Pen) Testing: Getting a real-life human to attempt to breach your network or website is the ultimate test of your defences.

The human mind with experience, determination, incentive and the ability to apply lateral thinking will beat the effectiveness of a port scan or vulnerability assessment every time. A penetration tester will put your defences under real-world pressures and recreate all the scenarios that a hacker will go through when attempting to breach your system. The only differences between pen testers and hackers are permission and time.

Why should I perform a pen test?

The obvious answer is to identify flaws in your network infrastructure or applications which could lead to a compromise or data breach.

A penetration test will give you a full and clear picture of where a hacker could penetrate your defences and access your website, network or system. This will help you identify chinks in your armor and prioritize fixes in vulnerable areas.

But what are the other areas to consider? Finding the gaps in your defence is undeniably important but pen testing is far more versatile than people think. We’ve spoken to our team of in-house experts and teased out some other reasons to make use of pen testing that you may have overlooked.

Compliance

Meeting compliance requirements is vital for all organizations that deal in information.

It’s important as an organization to examine your attitude to pen testing.

Are you the type of organization that is looking to become compliant, tick that box and move on? Or are you serious about your network being safe?

Performing tests because you have to will never be as productive as proactively testing your assets. At BSI, we recommend testing internal and external networks and applications on a regular, pro-active basis to ensure you stay on top of all new vulnerabilities and threats.

Staying on-top and ahead of the game will allow you to spot gaps in your compliance requirements before the regulators do and allow you to pass that audit first time round. Remember, even fully compliant companies can get hacked.

Assess the magnitude of a successful attack

The popular theory in this area is that getting hacked is not an “if” but a “when". Knowing what to do when attacked is a vital part of surviving a real-life hack.

Often, how you respond to a breach is as important as defending against one.

Consider the new proposed EU Data Protection reforms to be introduced in the coming months. A proposed stipulation in these reforms is that an organization must make an announcement of a breach within 72 hours. Consider that for a moment, would you be confident that your organization could diagnose the cause of a breach, fix it and then announce what has been lost within 72 hours?

The first step is to diagnose and be prepared for the impact of a successful attack.

Budgetary leverage

A challenge for management in all areas of business is securing that much-needed funding from the C-Suite.

As you work every day in your area of the business, the need for increased security spending may be apparent and even obvious to you. But convincing others may be a challenge and even impossible in some cases.

A pen test report can be the hard evidence you need to prove shortcomings in your organization’s defences and the concrete way to attain such funding to allow you to secure your organization before a hack takes place.

Recreate an attack chain

Many people aren’t aware that pen tests are a valuable tool, post-breach.

Combined with eDiscovery, pen testing can be used to locate and recreate the path used to breach your network and diagnose a fix, removing any risk of the same attack reoccurring.