Why do you still need pen testing in 2020? The answer is simple: because you need a secure network – and your network is a moving target. A penetration test can give you a snapshot of your overall security posture, along with a reality check. It can help you keep your guard up and challenge your assumptions. The bottom line? Your organization’s brand reputation and customer confidence are worth the investment.
In this blog, I’ll talk about what a pen test is and tell you about the different types. I’ll also discuss three ways a pen test can help you in 2020.
What is a Pen Test?
A pen test is conducted to find viable attack paths into your network to get access to high value assets (for example, customer data or company secrets). A pen tester (or “white hat”) tries to exploit weaknesses to chain steps together into this attack path. It’s about finding the various ways to access and steal the “crown jewels.” A pen test can find holes in your perimeter security and firewalls before they’re exploited, or identify problems with remote access tools.
If you’ve never had a pen test, the first step is getting to a baseline view of your security as soon as possible. If you’ve already had one, your next one should be scheduled for a year later, or sooner if you’ve had significant changes or additions to your network.
Pen tests are often confused with vulnerability assessments and audits. The terms are often used interchangeably, but they are not the same. A pen test is not about finding every vulnerability on each system, like a vulnerability assessment. A pen test is also not an audit. Unless your industry requires periodic pen tests to fill a square, a pen test does not check the compliance box.
Three Types of Pen Tests
There are three types of pen tests:
- Black box,
- White (or clear) box, and
- Hybrid, or black to white.
A black box pen test emulates what an actual attacker would do. Testers start with as little information about your network as possible. White (or clear) box testers know a lot about your network and key targets before they start, which helps them conduct a test faster. Hybrid or black to white testers start with little knowledge but request more as the pen test progresses. This also emulates what a threat actor would try but keeps the test to a limited time frame.
Most companies opt for hybrid or white box pen tests since time is usually a factor. Both can get the testers what they need to complete their work in a reasonable amount of time.
It’s also important to understand that external, internal, and wireless are the basic viewpoints of a pen test. External pen tests look at your network from the Internet or outside of what’s historically within corporate network confines. Internal pen tests simulate what an insider or potential attacker can see and do on your network. Wireless pen tests give you a different external or internal view of your network. Ideally, you’ll want to get all three if you can. Each shows a different view into your network security.
Three Ways a Pen Test Can Help You in 2020
With all the new security technology available today, you might be wondering why you should spend money, time, and energy on a pen test. The short answer is that you still don’t know what you don’t know, so blind spots and assumptions about your overall security must be checked and confirmed.
Here are three ways a pen test can help:
1. It can shine a light on the various attack paths into your network.
- The system/setting/configuration that was supposed to patched, removed, adjusted, or reconfigured sometimes isn’t. Get it checked out.
- “Password#1” meets all your corporate password length and complexity requirements – but is extremely easy to crack. Do you know if your users have passwords like it? Find out.
- Are your legacy or unsupported systems vulnerable? Get them looked at.
2. It can help your security staff improve their skills and knowledge.
- Can your tools and team members detect the things you think they should? Confirm it.
- Tools are only as good as the signatures. Discover the gaps.
3. The pen test report can be used as a security support tool in and of itself.
- Leverage the report to make the case for more budget and more staff or training. It might just be what’s needed to tip the scale and get things changed for the better. Use it.
- Prioritize your IT budget based on risks that are based on facts, not guesses.
- The pen tester can ‘aim’ the narrative of the report to help you get what you need for better network security. They can emphasize areas that you’re trying to change.
Recommended Next Steps
Here are next steps, depending on your role:
- Company leader in charge of IT or IT security (C-Suite): Talk to your colleagues about pen tests and their experiences with them. Find a pen testing team with good recommendations and work with your IT security manager to get one scheduled. Sooner is better than later because you can never know too much about your security stance. Don’t let a security breach blindside you. Get out in front of it now.
- IT or IT Security Manager: Get some recommendations for reputable penetration test providers from colleagues, find the right fit, and get one scheduled. Do this before your next budget meeting/purchase order. Find your gaps and needs and then spend the money wisely. Use the report to get more budget and staff.
- IT or IT Security Professional: Talk to your IT security manager and discuss what you’ve learned about penetration tests. See about getting one scheduled for your network. Good ideas come from every level.
The bottom line is that when it comes to network security, you need to know where you really stand, and pen tests can get you there. If you believe in doing everything within reason to ensure that customer data and your competitive edge (intellectual property, key systems, and processes) are secure, getting a penetration test is an easy decision.
Given how many organizations have moved to a work-from-home policy and distributed workforce, consider a vendor that can conduct pen tests and vulnerability assessments remotely so that you don’t have to have someone physically in your office.