Marriott. T-Mobile. Carnival Corporation. These are just three out of the long list of companies that fell victim to cyber security breaches in 2020 alone. And now, with hackers actively targeting essential services providers, no one is truly safe. What can your organization do to avoid becoming a victim? The answer is simple: penetration testing.
What is penetration testing?
The National Cyber Security Center describes penetration testing as “A method for gaining assurance in the security of an IT system by attempting to breach some or all of that system’s security, using the same tools and techniques an adversary might.” A penetration test attempts to exploit any vulnerabilities in your system, and add context to what the risk is to your organization.
There are five different types of penetration tests: white box (the hacker is provided with a small amount of information ahead of time regarding the security target), black box (also known as a blind test, where the hacker isn’t given any information ahead of time), internal (the hacker completes the test from within the organization’s network), external (the “attack” is carried out from a remote location to go up against the company’s external facing technology), and covert (a test where no one in the company knows that it’s happening). The types of tests your organization will need depends on the regulations you’re subject to, and the goals you have for the test.
No matter what type of penetration testing your organization undertakes, below are my top five reasons why you need it sooner rather than later.
1. To test the effectiveness of your security controls
Part of the process of establishing a formal information security program is using an industry recognized framework. The most popular frameworks are NIST 800-53, the NIST CSF, and the CIS Controls. As organizations adopt these controls and frameworks, it’s a good practice to have a penetration test performed to test effectiveness of the implemented controls.
2. To test the effectiveness of your incident response team
A penetration test is a great way for organizations to test their incident response team’s ability to respond quickly and efficiently after a potential cyber emergency. This can be done by performing an unannounced penetration test to simulate an actual cyber incident, or by working with the team in what’s called a Purple Team engagement. Purple Team engagements involve the penetration testers working with the incident response team while walking through an actual attack to determine where improvements can be made.
3. As part of a third-party attestation statement of your security program
In some cases, an organization will need to satisfy the requirements of a client or partner’s vendor management program. In cases like these, the partner or client may request proof that their network and systems are secure. A penetration test can be performed in order to provide that verification in what’s known as a third-party attestation statement.
4. To ensure compliance with regulatory requirements and security frameworks
Companies subject to regulations such as PCI, GLBA HIPAA, and SOX are periodically audited to ensure they’re in compliance. In these situations, a third-party auditing firm will perform a penetration test based on the corresponding regulatory requirements. After the test is complete, a report is provided to the client, which may be requested by the regulatory governing body for review.
5. To discover vulnerabilities in software or web applications that you’ve developed.
Organizations that develop their own software or web applications should be performing penetration tests as part of the development process, and further down the road, too. This is especially true for web applications. Some organizations will have a penetration test performed when the application is first launched, but fail to test after further updates and configuration changes have been made. It’s those subsequent updates and reconfigurations that often lead to a compromise of the application. If you’re using third party code, modules or plug-ins for a web application, you may not be making updates or configurations to your web application, but the providers of those third party solutions may be introducing vulnerabilities in their products that you’re completely unaware of. This is why regular penetration testing is so important for web applications.
Penetration testing is one of the best ways to assess your company’s vulnerability to cyberattacks. By engaging in one of the five types of this crucial testing process, you’re able to protect your company from a potentially debilitating attack. The longer you wait to take this necessary precaution, the longer your system is susceptible. Contact us today to take the next step toward digital security.
About the Author:
Joe Sullivan is a principal consultant at Sparq in Oklahoma City with over 20 years of experience in information security. He helps develop the company’s security consulting services and the teams that provide them. Over his career, Joe has worked in incident response, penetration testing, systems administration, network architecture, forensics, and is a private investigator specializing in computer crime investigations. Joe also teaches information security classes for the SANS Institute.

Five Ways User Feedback Can Transform Your Product Strategy
User feedback is a critical asset that can provide valuable insights into your users' wants and needs. It can also give important observations into your application's overall performance. In this article, Principal Product Strategist Toyia Smith shares five ways to better incorporate user feedback into your product strategy.

Balancing Technical Debt and New Features: A Product Owner’s Guide
The term "technical debt" frequently emerges in discussions about software development, product health and organizational effectiveness. However, its true meaning and the balance organizations must find between managing this debt and new feature innovation can be confusing. In this article, learn how to manage that delicate balance so you can create an exceptional product.

Navigating Digital Product Discovery: A Guide to Avoiding the 5 Common Pitfalls in Custom Product Development
In digital product development, a well-structured discovery phase is critical to a product’s long-term success. However, bringing a digital product from concept to reality can be challenging. In this article, Principal Product Strategist Josh Campbell shares his guide to avoiding five common pitfalls during digital product discovery.

Preparing Your Business for the Realities of AI and Machine Learning: Beyond the Hype
The buzz around artificial intelligence (AI) and machine learning (ML) has almost certainly reached a fever pitch. With benefits including increased efficiency and enhanced customer experiences, many businesses are eager to take advantage of these technologies. In this article by Chief Technology Officer Derek Perry, learn why organizations need a solid foundation to ensure they're ready to harness the benefits of AI and ML, before jumping in headfirst.