Penetration tests are here to stay.
Today’s cyberthreat landscape is evolving at an alarming pace, and businesses are increasingly pressured by their stakeholders to protect themselves against data breaches such as DDoS attacks, Mirai, phishing and Ransomware.
While organizations are constantly flooded with the latest and supposedly greatest tools and technologies, penetration tests remain one of the most popular and critical tools to strengthen your security defenses. There is a large demand for skilled professional penetration testers or so-called ‘ethical hackers’, and more and more security professionals pursue relevant certifications such as Certified Ethical Hacker (C|EH), Licensed Penetration Tester (LPT), Certified Penetration Tester (CPT) or GIAC Penetration Tester (GPEN). In fact, a 2016 research report revealed that the penetration testing market is estimated to triple in size from USD 594.7 million to USD 1,724.3 million between 2016 and 2021.
According to the official definition of the Payment Card Industry Security Standards Council (PCI SSC), the objective of a penetration test is to “identify ways to exploit vulnerabilities to circumvent or defeat the security features of system components”. Penetration tests (or pentests, in short) are simulated attacks in a controlled environment carried out by third-party security specialists who employ the same techniques as attackers located outside your infrastructure. The test will reveal if your servers or applications will resist hostile attacks and if the identified vulnerabilities can lead to further intrusion and exploitation.
“It’s one thing to run a scan and say “you are vulnerable to Heartbleed” and a completely different thing to exploit the bug and discover the depth of the problem and find out exactly what type of information could be revealed if it was exploited. This is the main difference – the website or service is being penetrated, just like a hacker would do.”
– Tony Martin-Vegue, Senior Manager, Cyber-Crime, CSO Online
Much like a vulnerability assessment, a penetration test reveals whether an organization is potentially vulnerable to cyberattacks and provides recommendations on how to strengthen your security posture.
Related post: Vulnerability Scan vs Vulnerability Assessment
By scanning operating systems, network devices and application software, it identifies known and unknown vulnerabilities in the tested environment and generates a report listing the found vulnerabilities in order of criticality.
However, a penetration test will go one step further than a vulnerability assessment and act upon the vulnerabilities found. It is designed to identify ways to exploit the identified vulnerabilities “in order to prove (or disprove) real-world attack vectors against an organization’s IT assets, data, humans, and/or physical security”.
In other words, a penetration test will help you understand to what extent your organization’s vulnerabilities can potentially be exploited by hackers.
“An investment in knowledge pays the best interest.” – Benjamin Franklin (1706 – 1790)
A well-executed penetration test provides a detailed overview of your organization’s exploitable vulnerabilities and includes actionable recommendations on how you can optimize your protection levels in the short-term, mid-term and long-term. Discovered vulnerabilities are listed in order of a) how easily they can be exploited and b) their impact on the organization in case of exploitation.
By following a so-called “risk-oriented prioritization” approach, information security executives will be able to prioritize these risks based on their criticality, plan their remediation efforts and allocate their security resources accordingly. For example, they may want to prioritize fixing the most critical vulnerabilities with the biggest negative impact on the organization first, and delay working on vulnerabilities that have little impact and are harder to exploit.
If your organization needs to comply with certain industry standards and regulations, a regularly conducted penetration test is your first step towards achieving compliance. Common compliance frameworks include ISO 27001, NIST, FISMA, HIPAA, Sarbanes-Oxley or the Payment Card Industry Data Security Standard (PCI DSS), which requires annual as well as ongoing penetration testing (in case of system changes).
By conducting regular penetration tests of your environment, your organization demonstrates information security due diligence and can avoid hefty fines resulting from non-compliance.
While annual penetration testing is considered best practice, bi-annual or even quarterly testing is preferable, “since an organization could be compliant today and compromised tomorrow, or even worse – compromised yesterday” (TechTarget).
In addition to evaluating previously tested systems and applications on a regular basis to measure improvements, make sure to conduct penetration tests when new software or systems are added, new office locations are built or updates are applied (IT Governance Ltd.).
“[Cybersecurity] is not just the exclusive domain of the CIO and CTO, and is now in the domain of the CEO and the corporate board.” – Tom Ridge, first U.S. Secretary of Homeland Security
Now more than ever, executive management and the board of the directors want to be informed about how well protected their organization really is against cyberattacks. According to a 2016 study conducted by the Ponemon Institute, 34% of C-level executives are never updated about security incidents and only 23% are updated on annual basis – a worrisome development!
While it is obvious that executives won’t have the time to review a penetration test report in its entirety, the executive summary and/or findings overview can provide them with valuable insights about their organization’s security posture in easy-to-understand, non-technical terms.
When searching for a reputable security service provider to perform your penetration tests, make sure to get a preview of their reporting practices to ensure that the final report includes relevant information both for technical personnel as well as executives.
Lastly, penetration testing can provide evidence about the security controls that are in place and hence justifies continued or additional investment in security personnel and technology to executive management and investors.
As described above, there are many reasons for conducting regular penetration tests in your environment. Pentests can identify your system’s vulnerabilities, help you prioritize your remediation efforts according to the vulnerabilities’ exploitability and potential impact, facilitate compliance with strict standards and regulations and legitimize security-related spending in front of executive management and the board.
Although regular penetration tests can greatly enhance an organization’s security posture, they are not sufficient on their own and represent merely the first step towards a comprehensive, organization-wide security program.
To protect against data breaches and intrusions, organizations are best advised to bolster their security defenses for optimal protection, e.g. through employee security awareness training, 24/7 network monitoring, cybersecurity posture assessments and thorough incident response plans in case of a security incident.
Want to find out more about the business value penetration testing? Check out our free e-book below: