Person typing on a computer performing a pen test.

Why You Still Need Pen Testing in 2019

In Penetration Testing by Wayne Muranaka

Why do you still need pen testing in 2019? Quite simply, because you need a secure network – and your network is a moving target. A penetration test can give you a snapshot of your overall security posture, along with a reality check. It can help you keep your guard up and challenge your assumptions. The bottom line? Your organization’s brand reputation and customer confidence are worth the investment. 

If you’ve never had a pen test, the first step is getting to a baseline view of your security as soon as possible. If you’ve already had one, your next one should be scheduled for a year later, or sooner if you’ve had significant changes or additions to your network.   

Three Ways a Pen Test Can Help< 

With all the new security technology available today, you might be wondering why you should spend money, time, and energy on a pen test. Here are three ways a pen test can help:

First: It can shine a light on the various attack paths into your network. Because you still don’t know what you don’t know, blind spots and assumptions about your overall security must be checked and confirmed. 

  • The system/setting/configuration that was supposed to patched, removed, adjusted, or reconfigured sometimes isn’t. Get it checked out.
  • “Password#1” meets all password length and complexity requirements but is extremely easy to crack. Do you know if your users have passwords like it? Find out. 
  • Are your legacy or unsupported systems vulnerable? Get them looked at.

    Second: It can help your security staff improve their skills and knowledge.  

  • Can your tools and team members detect the things you think they should? Confirm it.
  • Tools are only as good as the signatures. Discover the gaps. 

    Third: The pen test report can be used as a security support tool in and of itself.

  • Leverage the report to make the case for more budget and more staff or training. It might just be what’s needed to tip the scale and get things changed for the better. Use it.
  • Prioritize your IT budget based on risks that are based on facts, not guesses.
  • The pen tester can ‘aim’ the narrative of the report to help you get what you need for better network security. They can emphasize areas that you’re trying to change.

Pen Test: A Short Primer < 

Here is a short primer for those of you interested in pen tests for your organization.  

  • A pen test is about finding viable attack paths into your network to gain access to high value assets (for example, customer data or company secrets). A pen tester (or “white hat”) tries to exploit weaknesses to chain steps together into this attack path. It’s about finding the various ways to access and steal the “crown jewels.” 
  • pen test is not a vulnerability assessment (VA). The terms are often used interchangeably, but they are not the same. A pen test is not about finding every vulnerability on each system, like a VA.
  • A pen test is not an audit. Unless your industry requires periodic pen tests to fill a square, a pen test does not check the compliance box.  

There are three types of pen tests:

  1. Black box – emulates the attacker where testers have almost no knowledge about your network before starting.
  2. White (or clear) box – testers know a lot about your network and key targets before they start. This helps with time restrictions.
  3. Hybrid or black to white – testers start with little knowledge and request more as the pen test progresses. This also emulates a bad actor but helps with the limited time frame of the test.  

Generally, hybrid or white box pen tests are recommended since time is usually a factor. Both can get the testers what they need to complete their work in a reasonable amount of time.  

It’s also important to understand that external, internal, and wireless are the basic viewpoints of a pen test. External pen tests look at your network from the Internet or outside. Internal pen tests simulate what an insider or potential attacker can see and do on your network. Wireless pen tests give you a different external or internal view of your network. Ideally, you’ll want to get all three if you can. Each shows a different view into your network security.  

Recommended Next Steps< 

If you’re a…

  • Company leader in charge of IT or IT security (C-Suite): Talk to your colleagues about pen tests and their experiences. Find a pen testing team with good recommendations and work with your IT security manager to get one scheduled. Sooner is better than later because you can never know too much about your security stance. Don’t let a security breach blindside you. Get out in front of it now.
  • IT or IT Security Manager: Get some recommendations for reputable penetration test providers from colleagues, find the right fit, and get one scheduled. Do this before your next budget meeting/purchase order. Find your gaps and needs and then spend the money wisely. Use the report to get more budget and staff.
  • IT or IT Security Professional: Talk to your IT security manager and discuss what you’ve learned about penetration tests. See about getting one scheduled for your network.  Good ideas come from every level.

Summary< 

The bottom line is that when it comes to network security, you need to know where you really stand, and pen tests can get you there. If you believe in doing everything within reason to ensure that customer data and your competitive edge (intellectual property, key systems and processes) are secure, getting a penetration test is an easy decision.

Does your organization need a pen test? Delta Risk can help.