September 22, 2020 by Wayne Muranaka

Why You Still Need Pentesting

Like Like Views 8847 [analytify-stats metrics="ga:pageviews" permission_view=""]

Industries: 9-1-1 & Law Enforcement Federal Fire & EMS

Topics: Cybersecurity

PentestsWith so many cybersecurity tools available to defend your organization, why do you still need pentesting? The answer is simple: because you need a secure network – and your network is a moving target. A penetration test (or pentest for short) can give you a snapshot of your overall security posture, along with a reality check. It can help you keep your guard up and challenge your assumptions. The bottom line? Your organization’s reputation and customer confidence are worth the investment.

In this blog, we’ll outline what a penetration test is and discuss the different types of tests. We’ll also discuss three ways a pentest can help you.

What is a Pentest?

Pentests are used to find viable attack paths into a network to get access to high-value assets (for example, customer data or proprietary information). They’re conducted with an organization’s permission, although most employees will not be aware that there’s a test in progress. A pentester (or “white hat”) tries to exploit weaknesses and use them to create an attack path. It’s about finding the various ways to access and steal the “crown jewels.” A pentest can find holes in your perimeter security and firewalls before they’re exploited, or identify problems with remote access tools.

If you’ve never had a pentest, the first step is getting to a baseline view of your security as soon as possible. If you’ve already had one, your next one should be scheduled for a year later, or sooner if you’ve had significant changes or additions to your network.

Pentests are often confused with vulnerability assessments and audits. The terms are often used interchangeably, but they are not the same. A pentest is not about finding every vulnerability on each system, like a vulnerability assessment. A pentest is also not an audit. Unless your industry requires periodic pentests, it won’t help you check a compliance box.

Three Types of Pentests

There are multiple options when it comes to pentesting, including:

  • Black box
  • White (or clear) box
  • Hybrid, or black to white

A black box pentest mimics what an actual attacker would do. Testers start with as little information about your network as possible. White (or clear) box testers know a lot about your network and key targets before they start, which helps them conduct a test faster. Hybrid or black to white is where testers start with little knowledge but request more as the pentest progresses. This also emulates what a threat actor would try but keeps the test to a limited time frame.

Most companies opt for hybrid or white box pentests since time is usually a factor. Both can get the testers what they need to complete their work in a reasonable amount of time.

It’s also important to understand that external, internal and wireless are the basic viewpoints of a pentest. External pentests look at your network from the Internet or outside of what’s historically within corporate network confines. Internal pentests simulate what an insider or potential attacker can see and do on your network. Wireless pentests give you a view of the wireless local area networks (WLANs) and the use of associated wireless protocols and technologies to identify and address vulnerabilities. Ideally, you’ll want to get all three if you can. Each shows a different view into your network security.

Three Ways a Pentest Can Help You 

With all the new cybersecurity technology available today, you might be wondering why you should spend money, time and energy on a pentest. The short answer is that you still don’t know what you don’t know, so blind spots and assumptions about your overall security must be checked and confirmed.

Here are three ways a pentest can help:

  1. It can shine a light on the various attack paths into your network.
  • The system/setting/configuration that was supposed to be patched, removed, adjusted or reconfigured sometimes isn’t. Get it checked out.
  • “Password#1” meets all your corporate password length and complexity requirements – but is extremely easy to crack. Do you know if your users have passwords like it? Find out.
  • Are your legacy or unsupported systems vulnerable? Get them looked at.
  1. It can help your security staff improve their skills and knowledge.
  • Can your tools and team members detect the things you think they should? Confirm it.
  • Tools are only as good as the signatures. Discover the gaps.
  1. The pentest report can be used as a security support tool in and of itself.
  • Leverage the report to make the case for more budget and more staff or training. It might just be what’s needed to tip the scale and get things changed for the better. Use it.
  • Prioritize your IT budget based on risks that are based on facts, not guesses.
  • The pentester can ‘aim’ the narrative of the report to help you get what you need for better network security. They can emphasize areas that you’re trying to change.

Recommended Next Steps

Depending on your role within an organization, here are some action items you can take:

  • Business or agency leader in charge of IT or IT security (C-Suite): Talk to your colleagues about pentests and their experiences with them. Find a pentesting team with good recommendations and work with your IT security manager to get one scheduled. Sooner is better than later because you can never know too much about your security stance. Don’t let a security breach blindside you. Get out in front of it now.
  • IT or IT Security Manager: Get some recommendations for reputable penetration test providers from colleagues, find the right fit and get one scheduled. Do this before your next budget meeting/purchase order. Find your gaps and needs and then spend the money wisely. Use the report to get more budget and staff.
  • IT or IT Security Professional: Talk to your IT security manager and discuss what you’ve learned about penetration tests. See about getting one scheduled for your network. Good ideas come from every level.

Summary

The bottom line is that when it comes to network security, you need to know where you really stand, and pentests can get you there. If you believe in doing everything within reason to ensure that customer and organizational data (intellectual property, key systems and processes) are secure, getting a penetration test is an easy decision.

Given how many organizations have moved to a work-from-home policy, accelerated digital transformation and distributed workforce, consider working with a service provider like Motorola Solutions that can conduct pentests and vulnerability assessments remotely so that you don’t have to have someone physically in your office.

Does your organization need a pentest? Motorola Solutions can help. To learn more, download our Penetration Testing Services Solution Brief. To chat with one of our Cybersecurity sales professionals, visit our Cybersecurity website today.  

Contact us to find out more about our Cybersecurity Services.

Contact Us
Wayne Muranaka

Wayne Muranaka

Mr. Muranaka is a senior consultant with 15+ years of experience in the cybersecurity domain providing enterprise network and system vulnerability assessments (blue team), a threat perspective (red team) and defensive cyber operations as well as cyber exercises and training. In addition, he has a background in information assurance, enterprise architecture and incident response.

Leave a Comment

Related Articles

cyber incident scenario
4 Cyber Incident Scenarios You Should Exercise and Test
Unified Data Platform
Strengthen Collaboration With A Common Technology Platform
Transparency and trust
Foiling a Cops & Lobsters Perception: Through Technology, Transparency & Trust