info@verity-it.com (888)-642-8472
2001 Butterfield Road, Suite 102
Downers Grove, IL 60515

Penetration Testing

What Is It and Does My Company Need It?

Penetration Testing
October 15, 2020 Liz Pena

Penetration testing, also called pen testing, is the practice of testing a computer system, network or web application to find security vulnerabilities that an attacker could exploit.

Penetration testing can be automated with software applications or performed manually. Either way, the process involves gathering information about the target before the test, identifying possible entry points, attempting to break in (either virtually or physically) and reporting back the findings.

The main objective of penetration testing is to identify security weaknesses. Penetration testing can also be used to test an organization’s security policy, its adherence to compliance requirements, its employees’ security awareness and the organization’s ability to identify and respond to security incidents.

Typically, the information about security weaknesses that are identified or exploited through pen testing is gathered and provided to the organization’s IT and network system managers, enabling them to make strategic decisions and prioritize remediation efforts.

Penetration tests are also sometimes called “white hat attacks” because in a pen test, the good guys are attempting to break in.

What’s the Purpose of Penetration Testing?

The primary goal of a pen test is to identify weak spots in an organization’s security posture, as well as measure the compliance of its security policy, test the staff’s awareness of security issues and determine whether (and how) the organization would be subject to security disasters.

A penetration test can also highlight weaknesses in a company’s security policies. For example, although a security policy focuses on preventing and detecting an attack on a company’s systems, that policy may not include a process to expel a hacker.

The reports generated by a penetration test provide the feedback needed for an organization to prioritize the investments it plans to make in its security.

What Areas Does Penetration Testing Cover?

Application Penetration Testing

Identifies application layer flaws such as cross site request forgery, cross site scripting, injection flaws, weak session management, insecure direct object references and more.

IoT/Device Penetration Testing

Aims to uncover hardware and software level flaws with Internet of Things devices including weak passwords, insecure protocols and more.

Network Penetration Testing

Focuses on identifying network and system level flaws including misconfigurations, product-specific vulnerabilities, wireless network vulnerabilities, rogue services, weak passwords and protocols.

Physical Penetration Testing

Also known as physical intrusion testing — this testing reveals opportunities to compromise physical barriers such as locks, sensors, cameras, man-traps and more.

All of these risk-based approaches involve several steps. These steps include:

Information Gathering: The stage of reconnaissance against the target.

Threat Modeling: Identifying and categorizing assets, threats, and threats communities.

Vulnerability Analysis: Discovering flaws in systems and applications using a set of tools, both commercially available tools and internally developed.

Exploitation: Simulating a real-world attack to document any vulnerabilities.

Post-Exploitation: Determining the value of compromise, considering data or network sensitivity.

Reporting: Outlining the findings with suggestions for prioritizing fixes. For us, that means walking through the results with you hand-in-hand.

Want to know more? Then get in touch!

Drop us a line

How Often Should You Perform Penetration Testing?

Organizations should perform pen testing regularly — ideally, once a year — to ensure more consistent network security and IT management. In addition to conducting regulatory-mandated analysis and assessments, penetration tests may also be run whenever an organization:

  • Adds new network infrastructure or applications.
  • Makes significant upgrades or modifications to its applications or infrastructure.
  • Establishes offices in new locations.
  • Applies security patches.
  • Modifies end-user policies.

Penetration testing is not one-size-fits-all — when a company should engage in pen testing also depends on several other factors, including:

Size

Companies with a larger online presence have more attack vectors which leads them to be more-attractive targets for hackers.

Budget

Penetration tests can be costly, so a company with a smaller budget might not be able to conduct them annually.

Location

A company whose infrastructure is in the cloud might not be allowed to test the cloud provider’s infrastructure.

Regulations and Compliance

Organizations in certain industries are required by law to perform certain security tasks — including pen testing.

Penetration testing is all about assessing your overall security before attackers do.

A penetration test digs deeper and samples your environment in a way that a vulnerability scan simply does not. Contact Verity IT to schedule your pen test today!