The objective of penetration testing is to detect vulnerabilities in IT security before an attacker can exploit them. To perform the tests, certified cybersecurity professionals attempt to circumvent the security features of an information system, using information they (or hackers) can gather about the system design, source code, and other elements of the IT infrastructure.
Penetration testing is a great way to test IT security since it provides real interaction with an organization’s systems, processes, and people. But to get maximum value from pen tests, organizations need to take into consideration the following:
Right Scope
The scope of the penetration testing must be well-defined. Organizations should focus the assessment on high-risk areas or areas where they believe there may be problems. This means that before penetration testing even begins, organizations must perform a risk analysis to understand where pen tests can have the biggest impact. For example, an organization might have wireless for guests, but it is not connected to the internal network, posing less risk.
On the other hand, the organization might process transactions on-line, so there is bigger exposure in that area. The definition of the scope will determine what type of exercises to do such as application pen tests, network pen tests, wireless pen tests, social engineering, and so on. It will also spell out what information organizations are willing to provide the penetration testing company, which will impact what can be tested. For example, with credentials, the pen test company can assess security controls within the application itself. Without them, this is not possible.
Right People and Company
It’s vital to hire an experienced pen tester for an assessment to be successful. The more vulnerabilities he/she can uncover, the better for the organization. The pen tester needs to have the necessary skills and qualifications to carry out the penetration test exercise defined in the risk analysis. For example, if your organization is testing an AS400 or mainframe, the pen testing company ideally would have experience dealing with this technology. It is also important to hire a pen testing company that can communicate the assessment findings to not only technical people, but also to businesspeople such as CEOs and board members, so that both technical and business risks are taken into consideration.
Organization’s Involvement
Pen tests aren’t something an organization contracts for and then walks away from the process. Depending on the scenario, different people in your organization will need to be involved. These roles and responsibilities should be spelled out before the assessment begins, so that everyone is on the same page and expectations are set. Your system administrators, application developers, or incident response team members may need to provide monitoring and support. Communication throughout the engagement between the pen test company team and your team will ensure a smooth process that does not disrupt the organization.
Conclusion
The success of a pen test assessment relies on organizations:
- Properly identifying the scope of the engagement before it begins
- Hiring the right company, with experience in the targeted areas
- Involving the right people within your organization
