What is a penetration test?

A what? I hear you say? Yes, you heard it right, today we’re talking about what a penetration test is. Penetration testing, or sometimes referred to as pen testing does not mean that we’re going to be talking about pens and how reliable they are. But we’re going to talk about verifying the safety of your business and associated devices (and employees) within the business.

What’s a penetration test?

A penetration test (or pen test) is a test which is conducted by an ethical security consultant who not only uses the same tools and techniques as the malicious attackers (or hackers), but also looks at the business from a risk perspective.

There are several types of penetration testing, the most popular ones are:

  • External penetration testing
  • Web application penetration testing
  • Internal / network infrastructure penetration testing
  • Mobile application penetration testing
  • Wireless penetration testing

Depending upon the type of test you have, the security consultant may be onsite and will performing the testing using the same tools, the business can identify where they are at risk, whether this is through not changing default credentials, to machines not being patched or by users having weak passwords.

Why do I need one?

When speaking to businesses, especially non-technical ones, such as solicitors, accountants and such, I always hear the statement, but I don’t need one, they will never target me!

Let me ask you, a question, how sure do you feel that all your computers, routers, printers and users are completely safe and secure?  Are you sure that all devices and applications are updated? That your firewall isn’t allowing anyone in?

Penetration testing is not just for technical companies, you should look at a penetration test as part of your risk assessment, having a quarterly or annual test will ensure that any weaknesses are identified and reported to the point of contact allowing you to resolve the issues and reduce the chance of an attack.

Penetration testing can also help reduce the changes of a ransomware attack, as most of the testing will identify if there will be a change of exploitation within the system.

You need to think to yourself, if you suffer a cyberattack in the future, can your business recover from the reputational and potentially financially damaging incident? When was the last time your backups were tested for recovery?

How do I go about getting one?

This blog most isn’t about scare mongering or trying to get you to purchase a test (although, do contact us), but its about raising awareness of ensuring your business is secure and any weaknesses within your business of web application is reduced.

So how do you go about getting a penetration test? The first question you need to ask yourself is, what do you want to get out of it? Do you develop software? If yes, then you may want to get your software tested and the production environment behind it. If you’re a business with no software, you may want to test your network, people and wireless.

Once you’ve decided what you want, find a company, like InfoSec Governance and start discussions, the company will then ask you some questions to help them identify the scope, to see what is going to be tested and allow them to provide you a quotation for the services.

Then, once you have agreed the quote the security consultant will perform the tests of choice and once complete you will receive a findings report detailing everything they have found and, if necessary what needs to be done to resolve the issues.

Most companies will also have a debrief meeting afterwards, so that you can talk through the report and question any findings.

I hope this blog helps you understand the need for testing and if you have any questions please don’t hesitate to get in touch with us either via the website or any of our social media streams.