Penetration Testing 101
Types of Pen Tests:
- Internal Penetration Tests – Identifying how far an attacker can transverse the network once a breach has occurred.
- External Penetrations Tests – Attempting to gain access to the internal network by exploiting vulnerabilities found on external assets.
- Mobile Penetration Tests – Focusing on the endpoint devices in realistic scenarios to see what information can be accessed.
Pen testing is a highly valuable, and sometimes mandatory step, in a security program. The goal is to identify weaknesses in your system and produce a risk score at the end of testing, so your team can address security gaps. Most organizations, at a minimum, will take the second approach (External Penetration Testing) as it ensures third-party, un-biased and more credible recommendations. If your organization has the resources, it is strongly recommended to conduct both internal and external penetration tests. It is also recommended running a test at least once a year.
Pen testing software will probe all devices – searching for high risk open application access ports, un-remediated vulnerabilities, user access risks and general software upgrades. By adding a proper security expert review, relative risk and priority are added which helps determine the practical approach to resolution.
Examples of value from experts include:
- A dialogue around what applications are currently in use
- Critical technology for business operations
- How to segment the network to reduce risk
The job of security is always to focus on reducing the attack surface; pen testing helps you identify the risks in order to do this.