A penetration test is a legal attempt at gaining access to a protected computer system with the intention of identifying potential security loopholes in that system. This “penetration” is often carried out by a third party at the request of the owner of the system or network. In the event of a successful penetration, the flaw is classified as a low, medium or high threat to the organization. A penetration test is concluded by drafting a report on the security position of the system in regard to the tests performed and developing plans of action for flaws uncovered.
Basically there are two types of penetration tests; black box and white box testing. Black box testing is where the third party tester is NOT provided with any information about the system or network to be tested. It is the most preferred method because it tells you how an outside hacker would see the system and go about breaking into it. In white box testing, testers are given most of the information they need including source codes, IP addresses and network diagrams. Using this information, they would then be required to identify any weaknesses in the system.
Benefits of penetration testing
Compliance with industry standards
When you carry out penetration tests, you’ll be complying with industry requirements. ISO 27001 demands that all organizations conduct regular penetration tests and reviews on all their systems. These tests are to be performed by competent testers.
Contributes to continuity
Business continuity often suffers the most in case of a security breach, sometimes setting companies back by several years. And yes, insecure systems are very prone to breaches. You don’t want to suffer server unavailability at the hands of an attacker! It could cost the company tens to hundreds of thousands of dollars.
Reducing client-end attacks
Attackers are increasingly finding it easier to break into organizational systems from the client-side especially via the web and services such as online forms. Companies should therefore start thinking about ways of protecting their systems right from the client-end inwards. When you know which attacks to expect, you can know what signs to look out for and should also be in a position to appropriately update your applications.
Establishing where the company stands in terms of security
Just as the old adage goes, a chain is only as strong as its weakest link. Until you know how attackers see your system, you can’t tell when they are going to strike. A penetration test will present you with an overview of your security system. You’ll get to know the effectiveness of any security measures you may already have in place.
Guard the reputation of your company
As soon as your security goes out of the door, your reputation will always follow. The people you work with can only trust you when you are worth the trust. Surely when hackers are hitting your system left, right and center, you won’t expect even your most loyal partners to show similar levels of support. By performing regular penetration tests, you’ll be boosting their confidence in your products and services.
There is no doubt that penetration tests are very important where information security is paramount.
You will have to make a decision on whether or not to hire a third party penetration tester. Costs of penetration tests vary greatly depending on the complexity and size of the system. Most testers charge an hourly fee with the fee varying depending on expertise and experience. You should expect to anything upwards of $2,000.