Marriott. T-Mobile. Carnival Corporation. These are just three out of the long list of companies that fell victim to cyber security breaches in 2020 alone. And now, with hackers actively targeting essential services providers, no one is truly safe. What can your organization do to avoid becoming a victim? The answer is simple: penetration testing.
What is penetration testing?
The National Cyber Security Center describes penetration testing as “A method for gaining assurance in the security of an IT system by attempting to breach some or all of that system’s security, using the same tools and techniques an adversary might.” A penetration test attempts to exploit any vulnerabilities in your system, and add context to what the risk is to your organization.
There are five different types of penetration tests: white box (the hacker is provided with a small amount of information ahead of time regarding the security target), black box (also known as a blind test, where the hacker isn’t given any information ahead of time), internal (the hacker completes the test from within the organization’s network), external (the “attack” is carried out from a remote location to go up against the company’s external facing technology), and covert (a test where no one in the company knows that it’s happening). The types of tests your organization will need depends on the regulations you’re subject to, and the goals you have for the test.
No matter what type of penetration testing your organization undertakes, below are my top five reasons why you need it sooner rather than later.
1. To test the effectiveness of your security controls
Part of the process of establishing a formal information security program is using an industry recognized framework. The most popular frameworks are NIST 800-53, the NIST CSF, and the CIS Controls. As organizations adopt these controls and frameworks, it’s a good practice to have a penetration test performed to test effectiveness of the implemented controls.
2. To test the effectiveness of your incident response team
A penetration test is a great way for organizations to test their incident response team’s ability to respond quickly and efficiently after a potential cyber emergency. This can be done by performing an unannounced penetration test to simulate an actual cyber incident, or by working with the team in what’s called a Purple Team engagement. Purple Team engagements involve the penetration testers working with the incident response team while walking through an actual attack to determine where improvements can be made.
3. As part of a third-party attestation statement of your security program
In some cases, an organization will need to satisfy the requirements of a client or partner’s vendor management program. In cases like these, the partner or client may request proof that their network and systems are secure. A penetration test can be performed in order to provide that verification in what’s known as a third-party attestation statement.
4. To ensure compliance with regulatory requirements and security frameworks
Companies subject to regulations such as PCI, GLBA HIPAA, and SOX are periodically audited to ensure they’re in compliance. In these situations, a third-party auditing firm will perform a penetration test based on the corresponding regulatory requirements. After the test is complete, a report is provided to the client, which may be requested by the regulatory governing body for review.
5. To discover vulnerabilities in software or web applications that you’ve developed.
Organizations that develop their own software or web applications should be performing penetration tests as part of the development process, and further down the road, too. This is especially true for web applications. Some organizations will have a penetration test performed when the application is first launched, but fail to test after further updates and configuration changes have been made. It’s those subsequent updates and reconfigurations that often lead to a compromise of the application. If you’re using third party code, modules or plug-ins for a web application, you may not be making updates or configurations to your web application, but the providers of those third party solutions may be introducing vulnerabilities in their products that you’re completely unaware of. This is why regular penetration testing is so important for web applications.
Penetration testing is one of the best ways to assess your company’s vulnerability to cyberattacks. By engaging in one of the five types of this crucial testing process, you’re able to protect your company from a potentially debilitating attack. The longer you wait to take this necessary precaution, the longer your system is susceptible. Contact us today to take the next step toward digital security.
About the Author:
Joe Sullivan is a principal consultant at Sparq in Oklahoma City with over 20 years of experience in information security. He helps develop the company’s security consulting services and the teams that provide them. Over his career, Joe has worked in incident response, penetration testing, systems administration, network architecture, forensics, and is a private investigator specializing in computer crime investigations. Joe also teaches information security classes for the SANS Institute.
