What is Penetration Testing?A penetration test, or pen test, is an attempt to evaluate the security of an IT infrastructure by safely trying to exploit vulnerabilities. These vulnerabilities may exist in operating systems, service and application flaws, improper configurations, or risky end-user behavior. Such assessments are also useful in validating the efficacy of defensive mechanisms, as well as, end-user adherence to security policies.
Penetration tests are typically performed using manual or automated technologies to systematically compromise servers, endpoints, web applications, wireless networks, network devices, mobile devices and other potential points of exposure. Once vulnerabilities have been successfully exploited on a particular system, testers may attempt to use the compromised system to launch subsequent exploits at other internal resources, specifically by trying to incrementally achieve higher levels of security clearance and deeper access to electronic assets and information via privilege escalation.
Information about any security vulnerabilities successfully exploited through penetration testing is typically aggregated and presented to IT and network systems managers to help those professionals make strategic conclusions and prioritize related remediation efforts. The fundamental purpose of penetration testing is to measure the feasibility of systems or end-user compromise and evaluate any related consequences such incidents may have on the involved resources or operations.
Why Perform Penetration Testing?ecurity breaches and service interruptions are costly Security breaches and any related interruptions in the performance of services or applications, can result in direct financial losses, threaten organizations' reputations, erode customer loyalties, attract negative press, and trigger significant fines and penalties. A recent study conducted by the Ponemon Institute (2014 Cost of Data Breach Study: Global Analysis) reported the average cost of a data breach for the affected company is now $3.5 million. Costs associated with the Target data breach that occurred in 2013 reached $148 million by the second quarter of 2014.
It is impossible to safeguard all information, all the time
Organizations have traditionally sought to prevent breaches by installing and maintaining layers of defensive security mechanisms, including user access controls, cryptography, IPS, IDS and firewalls. However, the continued adoption of new technologies, including some of these security systems, and the resulting complexity introduced, has made it even harder to find and eliminate all of an organizations' vulnerabilities and protect against many types of potential security incidents. New vulnerabilities are discovered each day, and attacks constantly evolve in terms of their technical and social sophistication, as well as in their overall automation.
Penetration testing identifies and prioritizes security risks
Penetration testing evaluates an organization's ability to protect its networks, applications, endpoints and users from external or internal attempts to circumvent its security controls to gain unauthorized or privileged access to protected assets. Test results validate the risk posed by specific security vulnerabilities or flawed processes, enabling IT management and security professionals to prioritize remediation efforts. By embracing more frequent and comprehensive penetration testing, organizations can more effectively anticipate emerging security risks and prevent unauthorized access to critical systems and valuable information.
How Often Should You Perform Penetration Testing?Penetration testing should be performed on a regular basis to ensure more consistent IT and network security management by revealing how newly discovered threats or emerging vulnerabilities may potentially be assailed by attackers. In addition to regularly scheduled analysis and assessments required by regulatory mandates, tests should also be run whenever:
Intelligently manage vulnerabilities
Penetration testing provides detailed information on actual, exploitable security threats. By performing a penetration test, you can proactively identify which vulnerabilities are most critical, which are less significant, and which are false positives. This allows your organization to more intelligently prioritize remediation, apply needed security patches and allocate security resources more efficiently to ensure that they are available when and where they are needed most.
Avoid the cost of network downtime
Recovering from a security breach can cost an organization millions of dollars related to IT remediation efforts, customer protection and retention programs, legal activities, discouraged business partners, lowered employee productivity and reduced revenue. Penetration testing helps you to avoid these financial pitfalls by proactively identifying and addressing risks before attacks or security breaches occur.
Meet regulatory requirements and avoid fines
Penetration testing helps organizations address the general auditing/compliance aspects of regulations such as GLBA, HIPAA and Sarbanes-Oxley, and specifically addresses testing requirements documented in the PCI-DSS and federal FISMA/NIST mandates. The detailed reports that penetration tests generate can help organizations avoid significant fines for non-compliance and allow them to illustrate ongoing due diligence in to assessors by maintaining required security controls to auditors.
Preserve corporate image and customer loyalty
Even a single incident of compromised customer data can be costly in terms of both negatively affecting sales and tarnishing an organization's public image. With customer retention costs higher than ever, no one wants to lose the loyal users that they've worked hard to earn, and data breaches are likely to turn off new clients. Penetration testing helps you avoid data incidents that put your organization's reputation and trustworthiness at stake.
Written by Chip Harris