An increasing important cyber security assessment – Penetration testing
A form of ethical hacking, a pen test attempts to identify and safely exploit vulnerabilities in networks and applications. In a world of highly sophisticated cybercriminals, pen testing is an invaluable tool to help keep businesses secure.
If you are new to penetration testing and considering having it carried out for the first time, the situation can be daunting. It is natural to have concerns – after all, you are effectively asking a third party to compromise your IT systems.
The benefits of pen testing, however, are numerous and will go a long way to alleviate any concerns you may have.
Here are the main benefits of a penetration test, as outlined by UK experts, Redscan:
- Fixing vulnerabilities before they are exploited by cybercriminals
- Providing independent assurance of security controls
- Improving awareness and understanding of cybersecurity risks
- Supporting PCI DSS, ISO 27001 and GDPR compliance
- Demonstrating a continuous commitment to security
- Supplying the insight needed to prioritise future investments
Five things to expect from a pen test
Here are five things that you should expect to receive from a professional cybersecurity company before, during and after a penetration test is performed.
- A clear assessment scope
The cybersecurity specialists commissioned to perform your pen test will help you to choose the best type of assessment for your needs and budget.
There are many different types of pen test; it is important then, that you should receive and agree a clear statement of works to outline what is being tested, the assessment duration, and whether it will be conducted inside or outside business hours.
There should also be paperwork to cover all relevant legalities, as well as the testing methodology. For example, to save time you may prefer a white box test (where credentials are shared with the tester in advance) over a black box test (where the tester attempts to access your system without credentials).
- Testing conducted by people – not just software
The use of software is important during a penetration test – but the testing should not be exclusively machine driven. A true penetration test should always include manual human testing; this is the only way to detect new vulnerabilities. By its very nature, software cannot observe things it is unfamiliar with, whereas a human tester will be capable of thinking outside of the box.
At this point, it should also be noted that all penetration testers are different. There can be no guarantee that a penetration tester will discover every exposure, which is why it is advisable to perform regular testing using a number of consultants.
- Regular communication throughout the process
You should expect a professional penetration tester to provide help and support throughout the assessment. This starts by clearly outlying the scope and aims of the engagement through to providing a summary report at the end. You need to be confident in the penetration testing that is being carried out, so if you have any concerns or issues, you should feel able to contact the testing team at any time.
- Quality remediation advice
There is no point in having a penetration test carried out if your chosen provider is not going to offer the support you need to address any vulnerabilities discovered. The mark of a good penetration testing company is not only that has an extensive knowledge of how to identify and exploit vulnerabilities, but can also suggest ways to remediate and mitigate risks.
Good penetration testers will also often perform re-testing to ensure that any remediation work carried out is effective.
- A full written report
Upon completion of a pen test, you should expect to receive a final written report. The report should be suitable for both technical and non-technical stakeholders and help them to understand any vulnerabilities discovered as well as the associated level of risk.
The report should also contain, where appropriate, short and long-term recommendations for improving your organisation’s overall level of cybersecurity.
Dakota Murphey
Freelance technical writer
From our Archive, see also:
Investing in quality: how do you prove the gold standard?
Building the security team of the future
Information security: your cyber crime strategy