Penetration testing is a valuable form of vulnerability analysis that finds and identifies security problems on a site by simulating an attack from the same sorts of cybercriminals who might try to break into a business online.
How it works
A qualified security professional, or pen-tester, will mimic an attack on your site by scanning your entire network and probing all your online systems for vulnerabilities. Your pen-tester starts with the same list of hacker techniques that real cybercriminals use to break into websites – including brute force, SQL injection, malware installation, and more.
Of course, the techniques your pen-tester uses are from a specially created list that’s been documented and updated over time.
Your pen-tester might use automated tools to ensure efficiency and thoroughness, but they’re never allowed to damage or exploit your site. If part of the test requires physical access to equipment or software, your pen-tester will have to follow your company’s physical security protocols.
Who needs it
Penetration testing is most useful for eCommerce businesses, financial institutions, government agencies, and other organizations that need rigid compliance with industry regulations or governmental policies. For example, if you store credit card information or private healthcare records, you’ll be required to meet the mandates of the Payment Card Industry Data Security Standard (PCI DSS).
A qualified security professional will help you understand your compliance requirements and determine whether your company is ready to meet those mandates – but a penetration test itself won’t achieve compliance.
If you want to earn the highest possible scores on an independent IT audit, though, this type of testing is essential. You can use that score as supporting documentation for an IT security audit.
High-level penetration testing is also valuable for companies that don’t fall into the highest-risk categories, but still need to maintain market credibility and brand confidence. Even if your site doesn’t handle financial information or store medical records, you’ll want to demonstrate to customers that you’re taking every possible measure to protect their personal information.
Why it’s important
A penetration test is the only way to really know how vulnerable your site is to attack. Many companies don’t realize it until after they’ve been hacked, but even small businesses are at risk of an attack that could result in a serious data breach or digital theft.
Sometimes companies can be compromised by seemingly innocuous errors, like weak passwords or improperly configured firewalls. A pen-tester can also reveal other vulnerabilities that you might not have known about – like denial of service (DOS) attacks, or mishandled malware files.
A qualified security professional will check for all the common vulnerabilities your company might face, but they can also include custom checks if necessary. And if you’re required to complete an annual penetration test, it will ensure that your site stays compliant with changing regulations or policies.
When you need it
All companies need penetration testing at least once a year, but the right time for your business depends on your industry and level of risk.
High-level penetration testing is required by PCI DSS standards, and companies that process credit card transactions should follow those standards closely. Online retailers will also want to perform tests at least twice a year to make sure their servers aren’t vulnerable to attacks that could lead to fraud or data theft.
Penetration testing vs. vulnerability scanning
Vulnerability scanning is a less intrusive process that tests your site’s security vulnerabilities by running automated scans of publicly available information about your systems and applications. For example, vulnerability scanners might check whether your servers are configured with dangerous versions of common software – such as Windows XP – that have well-known exploits.
These types of scans are generally less expensive than penetration tests, but they don’t provide the same quality of service since they only test how secure public data is on your website. Vulnerability scanners can’t measure how susceptible your site is to being hacked, and they often miss critical problems – even those that have been documented extensively.
Penetration testing should be carried out only by a security consultant who has extensive experience with cybercrime and a demonstrated ability to solve complex security problems. The best pen-testers not only have the skills necessary to exploit your system, but also have an intuitive understanding of what hackers are thinking and why they might target your company specifically.
Penetration testing is a highly technical process, so it’s important to find a pen-tester who understands your target audience. Computer Science fundamentals are necessary – especially those that pertain to operating systems, networks, and information security – but this expertise is useless if the tester can’t relate their knowledge to your business.
Advantages of penetration testing
- Performed by a trained and trusted security professional who’s familiar with the latest techniques and technologies that hackers use.
- Highly accurate and effective at finding exploitable vulnerabilities without causing damage to your system or disrupting service.
- Perfect for sites needing to meet compliance mandates such as PCI DSS.
Disadvantages of penetration testing
- Expensive. The majority of companies are unable to afford penetration testing unless they can recover the costs through reduced security incidents.
- Not useful for sites that have already implemented the latest safeguards against cybercrime.
- Requires an experienced tester with a background in computer science and IT who’s capable of understanding your company’s business needs.
Tools used by penetration testers
- Network Sniffers: Sniffers can be either hardware or software and they are used to intercept packets of information flowing over a given network. These tools allow testers to collect information about your site visitors, retrieve usernames and passwords, and find out precisely how data is being transferred between you and your customers.
- Social Engineering: Testers will often try to trick employees into providing sensitive information that’s not normally publicly available by posing as other users or asking for help with technical issues. This process – known as social engineering – has the advantage of occurring outside the confines of what you might consider “normal” security testing since it involves human interaction rather than simply examining computer code or network activity.
- Exploits & Zero-Day Vulnerabilities: Once a tester has compromised your site, they can run all kinds of tests that an automated security tool might not dream of attempting. The most dangerous tests involve running specific exploits against applications or technologies your website uses – including web-based email systems, CMS software, and even virtual private networks (VPNs) used to secure communications between you and customers.
- Network Mappers: Network mappers are tools used to map out the path’s information takes as it moves around the internet, which you could say is essentially like creating a road map for hackers. These programs locate specific kinds of data (e.g., email addresses) as well as other valuable information such as open ports, trusted hosts, available services, and even authentication mechanisms in use on your network.
Frequently asked questions about penetration testing
How much does it cost?
It depends on the amount of work needed, but it could be anywhere from a few hundred dollars to more than $100,000 if a business hires a dedicated IT security company.
Will they help to fix any problems?
A penetration tester’s job isn’t to fix problems, but they will typically work with you or your IT team to develop a plan for resolving vulnerabilities.
Is it the same as vulnerability scanning?
No, penetration testing goes much further, and security experts also perform social engineering attacks to expose potential weak points that automated vulnerability scanners might miss.
What are the limitations of penetration testing?
Penetration testing can be quite costly and time-consuming since it often needs to be done by a professional IT group which might mean the help of an external company.
What types of problems will a penetration tester look for?
Most companies hire penetration testers to check security holes within their software so this is what they should aim to find during a test.