Penetration tests: What are the benefits? Should every business get one?

For many of us in the IT and Security industry, we are constantly bombarded with news articles and blog posts depicting the next big cybersecurity breach that has just occurred, the avalanche of incidents never seems to stop.

It's no wonder that many CSO readers and businesses owners just don’t know what to do and are a little overwhelmed by the idea of trying to protect their systems. I feel that there are a few things that every business can do to protect themselves.

Most organisations invest in firewalls and antivirus protection which is great as a starting point but how can we protect a system adequately if we don’t know what its weaknesses are? Do you know if your current protections will even help stop an attack or ransomware infection spreading through your network?

The only way we can truly be confident that we have done the best we can is to test our protections and make sure they react as needed. This type of test is typically known as a penetration test and would be carried out by a penetration tester or security engineer who has the skill set required to conduct a thorough assessment and possible exploitation to conduct a true simulation of what a possible malicious actor would do.

The whole idea of penetration testing is a little strange when you think about it. You’re essentially paying a hacker/security engineer to break into your systems anyway possible (obviously with some rules because we aren’t criminals). Depending on the scope the process could use social engineering, known or even unknown vulnerabilities, misconfigurations or just exploit bad security practices (poor passwords, using the same password for every account just to hint at a few). It is honestly quite scary how bad some security practices are until an incident occurs and businesses learn the hard way.

This is a process that every business should consider due to the relatively small cost compared to a real security breach and the dramatic improvements/insight it could bring. Yes, on occasion no access point can be found, but there is almost always something that could be improved. Let’s list some basic benefits for a security test:

• Find out information that is available publicly for your organisation that can provide a cybercriminal attack vectors to manipulate.
• Unnecessary ports and services open to external access for no reason or even just poorly configured systems that will allow an easy exploitation by a malicious actor
• Identify poor patch management processes
• Weak password or account management practises
• Inadequate antivirus or perimeter protections
• A path forward for your organisation with clear recommendations on how to improve your organisation's security.

A pen test can take from as little as a week up to several months to complete depending on many factors such as the size of the business, the scope of the tests agreed by the organisation and what issues/vulnerabilities that were found during the initial reconnaissance phase of the test. This process and timeframes will be discussed by the organisation that you engage for the task but it is always a good idea to have a clearly defined set of expectations and agreed processes that you are both happy with.