We don’t have to tell you your organization’s IT system is deeply complex. To provide even the most basic services to your users, many layers of hardware and software combine.
Lurking within these layers are vulnerabilities – weaknesses that can be exploited to inflict costly damage on yourorganization. And as the layers of your IT system multiply, so do their vulnerabilities, whether they’re problems in the operating systems, application flaws, or improper configurations.
How do you find these weak points before the bad guys do? That’s exactly what penetration testing is for and why it is a critical part of a company’s security policy.
What Is a Penetration Test?
A penetration test is a deliberate attempt to compromise one of these vulnerabilities in your IT system. In other words, allowing the professionals to infiltrate your system and report on its weaknesses before someone with less wholesome motives discovers them.
The test itself is an invasive examination of key infrastructure, including:
- Web applications.
- Wireless networks.
- Network devices.
- Mobile devices.
Every breach of your IT system can end up costing you thousands or even millions to tamp down, including the cost of notifying customers, dealing with lawsuits, damage to your reputation, loss of proprietary data, and fines for violating regulations like HIPAA.
How Is a Penetration Test Performed?
Many security companies follow a basic organized process for performing a penetration test. This process contains a few critical steps:
- Planning and preparation – The security team will meet with your organization to discuss the scope of the project and the ultimate objectives. Your organization will need to determine the timing and duration of the tests being performed. The penetration testing team will make a recommendation on whether to inform your staff or not of the upcoming tests based on the final objective.
- Reconnaissance – The reconnaissance phase is when the security team really begins the act of carrying out the test. Many reconnaissance phases being with collecting organizational data from your company’s website, social media accounts, etc. A network survey is also usually done at this point. This helps testers get a broad scope of the network to start identifying the most important areas to focus on.
- Vulnerability assessment – The vulnerability assessment phase is when the testers get their hands into your systems to determine application versions, OS versions, potential patching issues, poor configurations, etc. – anything that could possibly be exploited.
- Phishing/social engineering – No penetration test is complete without seeing what access or information testers can gain from your company’s employees themselves. (Read more about this technique, called phishing, in our recent article.)
- Exploit launching – This phase of the test is when attacks against the vulnerabilities identified in the previous phases are mounted. Many vulnerabilities are conditional, so testers may require more than one piece of the puzzle to gain access. This phase uses a combination of manual and automated testing tools.
- Analysis and reporting – Once they have exploited the list of vulnerabilities within the allowed testing scope, the testers will begin to generate a report. Typically, the report provides a short overview of the testing process, followed by a detailed analysis of the findings. Some companies request that the testing company makes mitigation recommendations during the scope of the project, while others will choose to have this process performed internally.
Why Does Your Organization Need Penetration Testing?
As Steve Vigeant has pointed out, the average cost of a data breach has climbed to $4 million per incident in 2016. So, your IT security policy cannot be complete without penetration testing.
Because penetration testing evaluates your organization’s ability to protect its networks, applications, endpoints, and users, it allows your management team to make informed and safe decisions for the future.
How Often Should You Conduct Penetration Tests?
To maintain a high level of security awareness, these tests should be performed on a regular basis. Many industries have regulatory mandates, but organizations should also run tests whenever:
- Your company’s office location changes or if a new location is established.
- Your network design or architecture is significantly changed.
- You roll out new applications.
- You make a significant change to IT personnel or management.
If your organization is overdue for penetration testing – or you’ve never done it before – get in touch with Data Evolution today to get the ball rolling.