With so many cybersecurity tools available to defend your organization, why do you still need pentesting? The answer is simple: because you need a secure network – and your network is a moving target. A penetration test (also known as ethical hacking, pentesting or pentest) can give you a snapshot of your overall security posture, along with a reality check. It can help you keep your guard up and challenge your assumptions. The bottom line? Your organization’s reputation and customer confidence are worth the investment.
In this blog, we’ll outline what a penetration test is and discuss the different types of tests. We’ll also discuss three ways a pentest can help you.
What is a Pentest?
Pentests are designed to proactively identify any weak points in your security defenses so you can fix them before a malicious hacker exploits them. They’re used to find the different ways that threat actors might use to get into a network and access high-value assets like customer data or other proprietary information or to compromise mission-critical systems like computer-aided dispatch (CAD) systems.
They’re conducted with an organization’s permission, although most employees will not be aware that there’s a test in progress. A pentester (or “friendly hacker”) tries to take advantage of these weaknesses and use them to create an attack path. It’s about finding the various ways to access and steal the “crown jewels.” A pentest can find holes in your perimeter security and firewalls before they’re exploited or identify problems with remote access tools that might inadvertently give attackers an entry point into your network.
If you’ve never had a pentest, the first test will give you a relatively quick way to get a baseline view of your security. If you’ve already had one, your next one should be scheduled for a year later, or sooner if you’ve had significant changes or additions to your network since it was performed.
Pentests are often confused with vulnerability assessments and audits. The terms are often used interchangeably, but they are not the same. A pentest is not about creating a list of every vulnerability in each system, like a vulnerability assessment. A pentest is also not an audit. Unless your industry requires periodic pentests, it won’t help you check a compliance box.
Three Types of Pentests
There are multiple options when it comes to pentesting, including:
- Trial-and-Error Testing
- Clear box
A trial-and-error pentest mimics what an actual attacker would do. Testers start with as little information about your network as possible. Clear box testers know a lot about your network and key targets before they start, which helps them conduct a test faster. Hybrid is where testers start with little knowledge but request more information from your organization as the pentest progresses. This also emulates what a threat actor would try but keeps the test to a limited time frame.
Most organizations opt for hybrid or clear box pentests since time is usually a factor. Both can provide the testers with the information they need to complete their work faster.
It’s also important to understand that external, internal and wireless are the basic viewpoints of a pentest. External pentests look at your network from the internet or outside of what’s historically within corporate network confines. Internal pentests simulate what an insider or potential attacker can see and do from within your network. Wireless pentests give you a view of the wireless local area networks (WLANs) and the use of associated wireless protocols and technologies to identify and address vulnerabilities. Ideally, you’ll want to get all three if you can. Each shows a different view of your network security.
Three Ways a Pentest Can Help You
With all the new cybersecurity technology available today, you might be wondering why you should spend money, time and energy on a pentest. The short answer is that even with security tools in place, you still don’t know what you don’t know, so it’s important to look for any weak points and assumptions about your overall security that you might not see otherwise.
Here are three ways a pentest can help:
1: It can shine a light on the various attack paths threat actors could use to get into your network.
The system/setting/configuration that was supposed to be patched, removed, adjusted or reconfigured sometimes isn’t. Get it checked out.
“Password#1” meets your organization’s password length and complexity requirements – but is extremely easy to crack. Do you know if your users have passwords like this? A pentest can help identify weak passwords in your network.
Are your legacy or unsupported systems vulnerable? Pentesters will likely focus on these systems first.
2: It can help your security staff improve their skills and knowledge.
Can your tools and team members detect the things you think they should? Confirm it. It’s impossible for your team to detect and analyze everything. Is your detection capability, including the sensors, signatures, and personnel, tuned to spot the most severe threats to your network and data assets? A penetration test will aim to exploit a variety of vulnerabilities. If the penetration team is successful, their report will provide details of how they accomplished the exploits, giving your defensive team critical data to tune their detection tools to spot the attack in the future.
3: The pentest report can be used as a security support tool in and of itself.
You can also use penetration testing results to make the case for more budget and more staff or training. It might just be what’s needed to tip the scale and get things changed for the better.
A pentest can help you prioritize your IT budget based on facts, not guesses. The pentesting team can spend time focusing on the segments of your network that are of specific concern for you and provide detailed remediation plans to help justify the resourcing you need to protect your strategic assets.
Recommended Next Steps
Depending on your role within an organization, here are some action items you can take:
Business or agency leader in charge of IT or IT security (C-Suite): Determine what you want to get out of a pentest. What are your biggest areas of concern? Find a pentesting team with good recommendations and work with your IT security manager to interview them and get a test scheduled. Sooner is better than later because you can never know too much about your security stance. Don’t let a security breach surprise you. Get out in front of it now.
IT or IT Security Manager: Get some recommendations for reputable penetration test providers from colleagues or friends in the industry. Find the provider that is the right fit and get one scheduled. If you’re in a public safety agency, ask the provider for examples of previous engagements that demonstrate their expertise in mission-critical systems and public safety, for example. Do this before your next budget meeting/purchase order. Find your gaps and needs, and then spend the money wisely. Use the report to request more budget and staff.
IT or IT Security Professional: Talk to your IT security manager and discuss what you’ve learned about penetration tests. Suggest getting one scheduled for your network. Once you’ve got the results, study them to learn what the pentesters found so you can become more educated about your overall network. Good ideas come from every level.
The bottom line is that when it comes to network security, you need to know where you really stand, and pentests can get you there. If you believe in doing everything within reason to ensure that customer and organizational data (intellectual property, mission-critical systems and processes) are secure, getting a penetration test is an easy decision.
Given how many organizations have moved to a work-from-home policy and have a geographically distributed workforce, consider working with a service provider like Motorola Solutions that can conduct pentests and vulnerability assessments remotely so that you don’t have to have someone physically in your office.