Everything You Should Know About Penetration Testing

This sheet is intended to act as a quick summary for CIO’s who need a quick handle on terminology and the methodology used in penetration testing.

What is penetration testing?

In a nutshell, a penetration test is a way of measuring an organisation’s computer network security. It involves gathering information in much the same way as a hacker would attempt to do, then, by analysing the information it is possible to identify potential security vulnerabilities.?

By way of background, in the early 1970s the US Department of defence first used this type of testing to determine weaknesses in computer systems in an effort to combat hackers and other intruders from causing security breaches in their network. These days, with the increasing use of malicious code and threats from illegal hackers, any organisation that conducts e-business or who wants to protect their networks from catastrophic data theft should be looking at the internal testing as a way to determine the weaknesses and to test their internal security policy compliance.

Benefits of penetration testing

With a well-documented penetration test result, it is easier to plan increased security measures and minimise future attacks. The benefits from doing this include preventing financial loss through fraud, reassuring clients and shareholders, and satisfying any government regulations which may apply to certain industries. Testing also helps to safeguard information, improve understanding of information security threats, detect systemic vulnerabilities and provide independent assurance on the effectiveness of security controls.?

How is a penetration test implemented?

A good penetration test is not simply an automated process that uses generic software. Testing tools need to emulate the actions of a malicious hacker in an effort to reveal possible security weaknesses. This involves manual testing and adherence to strict methodologies that are carefully planned to ensure a tailored approach to the individual business or entity.?

Strategies involve external and internal testing of servers, firewalls and domain name servers. In addition, operating systems, networking equipment and software applications are also tested.?

Internal testing is important to cater for the possibility of attacks from disgruntled employees or unauthorised visitors to internal databases, and in some instances double blind testing strategies are required to ensure that internal IT staff are not in a position to compromise a system. This simply means that testing is carried out without staff being aware of the testing team’s activities.

Finally, all results should be carefully tabulated to provide information which is easily understood by the client along with recommendations that map out appropriate responses to the potential risks that have been exposed.?

How regular should testing be?

Any penetration test is only really a snapshot of the current situation, and even if no weaknesses are detected, this is not an indication that the system is completely secure. This limitation means that there should also be protocols in place to cope with security breaches as they occur. The knowledge garnered from a penetration test is only the starting point in the development of adequate security measures.