Penetration testing is an authorized attack against an IT system that attempts to find and exploit vulnerabilities and gain access to restricted functionality or information. Colloquially, these are often called “pen tests,” and they’re an essential part of performing an overall IT risk evaluation. While much of risk evaluation is theoretical, penetration testing involves a real, human expert designing and executing attacks against your system.
The results of a penetration test can show weaknesses in your applications, IT security, hardware, or even people. They point out vulnerabilities, outline how the attacker exploited the vulnerability, and tell what access or data breach resulted. Good penetration test providers will also offer recommendations for how to address the weaknesses they find.
The first task in a penetration test is finding security weaknesses. Depending on the scope and type of penetration testing, this begins with discovery of the network architecture. The tester will use various tools to gain an idea for how your system works - hardware, software, networks, access points, people with admin privileges. With a penetration test, vulnerabilities can come from anywhere. Operating system loopholes, software weaknesses, unsecure wifi networks, email phishing, and mobile devices are all potential targets.
The tester will push each of these attack vectors as far as possible to discover weaknesses. Often, a single attack vector doesn’t grant immediate access. However, a combination of information gained from multiple attack vectors could end up compromising the entire system.
Of course, not every penetration test is this extensive. It can get expensive to have a skilled team conduct a comprehensive test like this every time you make an update. For that reason, we’ll often set limits on the scope of a test to see how far an attacker could get with email phishing alone, for instance. That said, it’s worth conducting periodic full-scale penetration tests, and you should think of them as a security investment.
Not Just Finding, But Exploiting
When a tester finds a vulnerability they don’t stop there. Penetration testers also carry out the exploit to see how far they can go and what access they can gain. This is valuable because the results of a penetration test are not theoretical. They’re real exploits with concrete results.
It’s important to remember that a penetration test is a full-scale attack from a real human expert, trying to gain access by any means. That human attacker also has access to powerful tools that automate the process of network and access point discovery. A penetration test simulates a real attack and it provides valuable insight along the way about the potential impacts an attack could have on your organization.
The Value of a Penetration Test
A penetration test helps you discover the ways in which an attacker might try to compromise your IT system. It can point out single points of weakness but also higher vulnerabilities that result from a combination of lower weaknesses exploited in concert.
Since real humans conduct penetration testing, they may find vulnerabilities that an automated network or application vulnerability scanning software misses. It will also test the ability of any network defenders you have in place to mitigate and contain an attack.
Penetration tests are also a key part of regulatory compliance for many industries. As such, they can seem like a chore on your to-do list rather than a valuable investment. There are cheap options for penetration testing that can get you a report on your desk saying you checked off the box and are compliant. However, the value of a good penetration test is personalized knowledge of your vulnerabilities. An expert can do this more deeply, and it will also be safer (not break anything). In addition, the best testers will provide recommendations for how to mitigate the risks they’ve exposed.
Full Risk Assessment
A penetration test is a critical part of a full IT risk assessment. It’s important to note that in almost all cases, there is a small level of acceptable risk. Penetration tests help you determine the magnitude of technical risk you currently have.
Risk assessments help determine what’s reasonable to do to mitigate those risks. Sometimes mitigating a small risk would cost a lot of time or resources. In other cases, the risk may be larger than you originally realized and worth a security investment.
In this way, a penetration test is a key component of the broader risk management picture. It informs decisions about risk and security investment, giving custom-tailored advice based on the company’s IT architecture and current security practices.