Penetration Testing… What is it, and Why so Important?
Penetration testing is an essential part of ensuring your organization’s security controls. Penetration testing involves an authorized third party playing the role of a threat actor attempting to gain access to privileged or sensitive information/systems. It is executed either from
- an external view, where the attacker has no access to your internal network, which mostly represents what the Internet can see
- or an internal view, where the attacker has access to your internal network, which simulates a rogue employee, visitor, or a plain attacker who gains internal access to your network.
Both external and internal testing are essential to ensuring that threats from the inside and outside are kept to a minimum.
We believe that most organizations should start with an external test because your attack vector has more “eyes” looking at it from an Internet-facing view. That’s not to say one is more important than the other, but if you are just starting your information security “adventure”, an external test is definitely the place to start.
What’s Typically Involved in External Penetration Testing?
A well rounded external penetration test–like the ones that we perform–should include the following:
- Port/Service Scanning
Scanning ports will allow the penetration tester to see if any attack vectors are open and easily accessible. This will also allow the threat actor to enumerate a topology of your organization.
- Metadata/Information Reconnaissance
Checking your organization’s external-facing sites, documents, or repositories will give the threat actor any easily obtainable information that may help aid in the “attack”.
- Social Engineering
We believe one of the biggest threats to your company is your staff. If an “attacker” is able to get passwords and other data from your employees, then your security controls, patches, and mitigations are severely undermined.
- Open Source Intelligence (OSINT)
OSINT tools can be used for information reconnaissance on public avenues like an organization’s web site, social media, etc. Many open source OSINT tools are free and easy to access and can be used for good or bad.
How Often Should I Conduct an External Penetration Test?
Another issue to consider is how often a penetration test should be performed. The real answer depends on several factors, like organization size, and budget.
If you are a small or medium business (1-50 employees, fewer than 6 public facing IP addresses) then at least annually is recommended and mostly required if you’re attempting to meet a compliance standard in any capacity. Depending on your budget, we recommend at least semiannually, if not quarterly for best results.
If you are a large organization (50+ employees, 6+ publicly facing IP addresses) then we highly recommend at least semiannually if not quarterly for best results.
These days, recurring penetration testing is a must have for businesses holding sensitive data–employee data, customer data, financial transactions, business operational data–in other words, most businesses.
If you do not have a current plan in place, reach out for help. We offer a free cybersecurity health check that can walk you through best practice areas for protecting your business. We’ve helped businesses improve their IT landscape and stay safe from attacks, and have decades of experience delivering cost-effective solutions that produce immediate and lasting results.
Contact us to learn how you can easily start protecting your business today.