Penetration testing, or ethical hacking as it is sometime referred to, has been around since the 1960’s. In 1971 The US Air Force adopted penetration testing to evaluate the security of their time-shared computer systems. Then, in the 1980’s the US Navy began ethical hacking tests to determine how easily terrorists could access their naval bases. Soon after, the government started investigating illegal hacking incidents and the rest is history.
Fast forward to today and ethical hacking has become a main tactic of companies wanting to ensure their networks and infrastructure are resilient. For most, performing a penetration test is validation of what their IT team is doing right, and what they could be doing better. Done properly and with the right team, a penetration test can pinpoint the obvious and not so obvious weakness within your network and computing infrastructure, saving you the embarrassment of a hacker pointing things out.
A proper penetration test will hit from all angles the same way a determined group of bad acters will. It may include the testing of internal and external, web application, source code, wireless, cloud, mobile, and an element of social engineering, such as phishing, or physical security tests.
The report a penetration test produces should be comprehensive and include all elements of the attack, from reconnaissance to remediation. If proper remediation is followed, your network infrastructure will be hardened and out of the sights of a bad actor.
In simple terms, penetration testing is likened to hiring a professional thief to break into your home to learn how he did it, and what he would recommend that would prevent him from getting in.
Seems like valuable intel, but why are companies not having penetration testing performed on their network infrastructure?
Here are some of the reasons companies do not consider penetration testing.
It’s a point in time test.
That is correct, probably the most important point of time test you will ever conduct. A yearly health checkup at your doctor is a point in time checkup. If your doctor detects an oncoming illness, or a serious health problem and prescribes treatment or medicine, you will likely feel fortunate and more conscience of your health knowing that you dodged a bullet. The same thing applies to a penetration test. It is the validation of what is right or wrong with your security.
It’s too expensive.
We find this one very contradictory, because many of the companies that say this are also spending a ton on other security software, hardware, or monitoring. Altogether, a penetration test would be a fraction of what the company paid for all the security goodies they blew their IT budget on.
A side benefit to penetration testing is that you will understand if the security measures you paid for are working the way the manufacturer had you believe. Spoiler alert - they are not.
We have nothing of value for a hacker.
This mistake is all too common. These days it’s not always about what you have, it is about what you don’t have. In the event of a ransomware attack that locks up your entire company’s computing infrastructure, you will be without the ability to operate your company, leaving you to battle with paying the ransom or not. We guarantee you that the ransom you will pay will far outweigh the cost of a penetration test.
Our IT Guy does our own penetration testing.
While this may seem like a logical move, for many reasons, it is not!
IT security is a highly skilled and demanding area of IT. It requires skill and experience and should be performed by a certified individual that holds different certifications. A penetration test is almost always performed as a team. This is because there are many different technologies that need to be tested by individuals that possess the knowledge and expertise to validate that technology. In 24 years of running security companies, I have not met one person that is disciplined in all the areas of penetration testing. They are usually skilled at a handful of tasks, but not in all. Having a team that is diversified is imperative to a complete penetration test.
IT personnel that perform their own penetration tests can also be biased. They may know where their perceived weaknesses are and leave that area out of the test, or purposefully overlook or skip another area. It’s the same as scoring your own report card; There will be unfair prejudice. The IT guy is likely not going to want the boss to know how bad things really are and mask the results of a test.
In some cases, we run into companies that have a very territorial IT manager. By territorial I mean he or she wants nothing to do with a penetration test. They feel that they have things in order and are secure because they “know their weaknesses”, or they know about their issues and don’t need some company to tell them what they already know… think about that one for a moment. They already know there are issues, yet they are doing nothing to fix them. Imagine what else a penetration test might find in this situation?
The point of this article is to encourage those that may have put the idea of penetrating testing aside. When your network is hardened it is unlikely that you will become the target of a bad actor. Hackers expect security hardware and software controls to be in place, what they also suspect is that those controls have not been tested. They know they will likely be able to bypass them due to a configuration oversight, or a bold claim by a security vendor that their product protects or detects against everything, when in fact they do not.
Getting a quote for a penetration test is easier than you think. Our process are comprehensive, thorough, and when delivered, you will know exactly what it will take in terms of time, effort, and cost. There is no obligation and no cost for scoping, only a small amount of time.
We encourage you to book an appointment to kickstart the most important validation of your security you will ever have performed.