With the Remote Workforce now an almost certain reality for the foreseeable future, businesses are scrambling as fast as they can to beef up their lines of defense. However, due to the intermingling of corporate and home networks, many applications, both internal and external, are now at increased risk for a Cyberattack.
One of the best ways to discover any unknown weaknesses or vulnerabilities that may reside in a network is to conduct a Penetration Test.
What Is A Penetration Test?
A Penetration Test can be defined as “. . . an attempt to evaluate the security of an IT infrastructure by safely trying to exploit vulnerabilities. These vulnerabilities may exist in operating systems, services and application flaws, improper configurations or risky end-user behavior.” (Source: Core Security).
Penetration testing is also referred to merely as a Pen Test, or even Ethical Hacking. Simply put, it is when a team of individuals (technically known as the “Red Team”) tries to break down the walls of defense by coming in from the external environment, by simulating real world Cyberattacks in a very controlled environment. The primary goal of the Red Team is to take on the mindset of a Cyberattacker and attempt to find any weakness possible by employing the tactics that a Cyberattacker normally would.
After the actual Pen Test has taken place, the Red Team will then review the results obtained and determine the remediative solutions they should implement in order to seal up any weak areas that have been revealed.
Consider Hiring a Third-Party Red Team
Before you plan and execute Penetration Testing, consider the benefits of hiring a third-party Red Team. According to a recent Ponemon Institute survey, 57% of the respondents claim that they have their own internal Red Team to conduct the necessary Pen Testing scenarios. But of these, only 13% conduct any sort of test on a daily basis, and almost 30% of them have no set schedule for even doing one. Given these alarming statistics, it is always prudent to carefully consider hiring an external, third-party Red Team to do this for you. Here are some of the reasons for doing so:
- Your existing IT Security team is already overburdened. Therefore, they may not have the time to conduct regular Pen Testing drills. But with a third party doing regular Pen Testing, you can be sure that it will be done on a timely basis, according to the schedule that you establish for them.
- Pen testing is all that third parties do, day in and day out. Thus, they are highly trained to find even the most granular of weaknesses or vulnerabilities which your internal team probably could not find.
- You can be assured that the team you hire is highly knowledgeable in the best practices and will apply them when conducting your Pen Tests.
- They will make sure to avoid any accidental mishaps, such as an entire system crash of your IT/Network Infrastructure. There are greater chances of this happening with your internal team.
- A qualified third party will offer an unbiased and objective assessment of the weaknesses that have been found and provide the best solutions possible to fix them.
- You can hire them on a contract basis – saving the cost of salaries and benefits you would have to pay an internal team.
A third-party Red Team cannot go “wily nilly” with the testing, as they must have explicit and written consent from the client. The client, in turn, has to acknowledge the risks that are possible, and should back up all digital assets that are going to be tested.
In the next article, I will describe several of the most common types of Penetration Tests, their areas of focus and exactly what they cover.
July 2019 Ponemon Institute Survey