A critical component to a holistic approach to cybersecurity is conducting a penetration test, or pen test, to evaluate computer system, network, or web application vulnerabilities that could be exploited by a hacker.
The first question to consider when you conduct a pen test – what is the goal? Is it to satisfy compliance mandate, or was there a data breach and you want to ensure all of the loopholes are closed? Maybe pen testing is a best practices regimen and conducted regularly in your organization. If your company is installing a new computer system or network, it makes sense to test it to find where any vulnerabilities or weaknesses may exist.
Internal, external, privileged or not…
Types of pen testing vary widely. Depending on your goal, options include internal, external, credentialed or uncredentialed, web application testing, network testing, phishing and social engineering. An external pen test will show you what your network or application looks like to an outsider. An internal test may be used to verify segmentation of different data sets.
Whether it is just one or a combination of multiple test types, consider your budget, timelines, in-house skills and expectations. A pen test using an automated tool may be just fine for a non-critical application. For critical infrastructure or sensitive data, a more in-depth analysis may be needed. Employees within the organization may have the skills necessary to conduct testing, or you may need a specialist. Know what you need and budget accordingly.
If you are hiring an external pen tester, ask to see sample reports. Reporting should not only show how the test was done, but provide recommendations for remediation tailored to your organization.
Remember that security isn’t just about technology – a phishing campaign that social engineers employees combined with a skilled tester behind the keyboard will give you the most realistic results – you’ll get a sense of how much of a risk the human element could play in an attack.
Support overall risk management
If you are testing to meet a compliance mandate, this can be a great opportunity to exercise and train your staff. For example, compliance with payment card industry standards requires a penetration test and that you annually test your incident response plan. We teach our clients “when not if…” so during the pen test, plan to evaluate the effectiveness of your threat detection tools, and conduct a walk-through of reporting and response processes. This may also be a good time to test your recovery and redundancy capabilities.
Few companies operate with an unlimited security budget, so take advantage of the opportunity to evaluate multiple facets of your risk strategy. Often, all a hacker is looking for is opportunity. A pen test is a way to limit opportunity and gain knowledge, both of which are vital to cyber risk management.
As Executive Vice-President at Sera-Brynn, Heather Engel oversees Sera-Brynn’s risk management practice, serving clients across a wide variety of industries including healthcare, government, retail, non-profit, and financial. She has over 16 years of experience in system integration, incident response, disaster recovery, security policy, business continuity planning, crisis communications, and security testing and evaluation. She is a Certified Information System Security Professional, a Payment Card Industry Qualified Security Assessor, and a Fully Qualified Navy Validator. In the past year, she has been a featured or keynote speaker at numerous conferences across the country, a panelist discussing the future of cyber education with Vice President Joe Biden, authored several journal articles, and frequently appears in the media providing commentary on cyber security.