What is penetration testing and why do I need it?
These are the two most common questions people ask about penetration testing (pentesting) and, unless you are already heavily involved in IT systems development you may not have heard the phrase before.
Pentesting goes by several names but broadly speaking they all mean the same thing. You may hear terms like “vulnerability assessment” or “technical risk assessment” or “technical security audit.”
Simply put, a pentest is a way of checking the security of an IT system or network, by doing all the things a hacker would do. Depending on what you ask the pentesters to do this can range from them trying to sneak past your receptionists, probing your internet site to accessing your back‐end databases.
As part of the process, the pentesters (sometimes called “Ethical Hackers” or “White Hat Hackers”) will run through combinations of known vulnerabilities which are often exploited by hackers to compromise systems – such as in the attack on the SONY PLAYSTATION NETWORK. Depending on the pentest company, and your requirements, they may also be able to work with you to identify threats which are not yet public knowledge.
When the testing has finished, you will be presented with a report identifying any vulnerabilities in your systems and giving advice on what should be done to close any gaps. A good pentest company will provide you with information on the likelihood of a weakness being exploited and the damage this could cause, but often this will fall to your security staff to assess.
Once completed, the findings of a penetration test, and any remediation activity you may undertake, can be presented to your shareholders, or other key stakeholders, as evidence that appropriate levels of security are in place. Additionally, depending on the nature of your business, a penetration test may be a regulatory requirement – such as if you handle credit card data.
Most importantly, by carrying out a proper pentest, and following through to remediate any relevant findings, you can prevent financial loss to your business, loss of reputation for your brand and retain customer confidence that you are looking after their data.