Pen tests provide insight into the sensible allocation of security resources in order to protect the areas that are at greatest risk. Additionally, penetration testing has been highlighted as having growing importance in areas of compliance, such as the GDPR, PCI DSS and ISO 27001.
If you want to make the most of the huge benefits of a pen test, it’s important to prepare your business properly. Here’s how.
Have you already run a vulnerability scan?
Before you commission a pen test, it’s advisable that you first look into conducting a vulnerability scan. Vulnerability scans are less expensive and invasive than pen tests, and rely on automated scanning tools to uncover common vulnerabilities in your systems. Common problems can include unpatched software applications, open ports and use of unsafe credentials.
Conducting a vulnerability scan first allows pen testers to focus their efforts on more complex vulnerabilities that automated tools can’t detect.
Which part of your IT infrastructure do you want to test?
Once you’re happy that you’ve identified and addressed the core vulnerabilities and have made the decision to order a penetration test, you face the question of where you’re going to focus your testing. Penetration testing is actually extremely broad, and there are various different types available. It’s essential that you choose to focus on the systems that your business depends on the most and are most likely to be targeted by cybercriminals.
External penetration testing is the most common form. It involves testing your IT systems that are connected to the internet, such as your website and virtual private networks (VPNs). Another option is an internal penetration test which focuses on what an attacker could do upon obtaining access to a network, for example, by obtaining an employee’s username and password.
Deciding on an approach to pen testing
There are three different approaches to pen testing – black box, grey box, and white box.
Black box penetration tests
In a black box pen test no information is provided to the tester, so this is used to simulate external attacks by criminals with no knowledge of the environment they are targeting.
Grey box penetration tests
In a grey box test, some limited information is provided. This could include some level of user credentials or access. This type of test reveals what a criminal could do if they had basic information about the target.
White box penetration tests
In a white box test, full access to information is granted. This is most useful in testing how your defenses hold up once your infrastructure has been breached. Given that it involves less reconnaissance, it’s also a more cost-effective option than black box and grey box testing.
Getting the legal stuff right
It’s essential that you carefully prepare a contract in order to cover the aims and scope of the test. To comply with the latest legal requirements, your pen tester must be authorized to conduct testing on your systems – and any member of the testing team will require written consent to show they’re permitted to carry out this kind of activity. This is why it’s so important to work with a qualified and experienced pen test provider.
When should you have a pen test carried out?
There are many different things to think about when it comes to the issue of timing. It may be the case that you want to limit the disruption to your day-to-day business activities. This would involve carrying out the test at a specific time of day. Alternatively, you might have decided that part of what you want to test is your staff’s ability to respond to a breach.
In any case, it’s important to discuss the time and duration the test with your testers.
Who needs to know about the pen test?
While the aim of penetration testing is to cause no damage or disruption to business operations, it is possible that some impact may be felt. When your computer systems are attacked it can cause downtime, especially as staff attempt to fix the issues.
For this reason, some people in your organization need to be aware that the test is taking place. But you need to make the decision on who you’ll inform. Letting all staff know that a pen test is going to happen can be the safest option – however, it may change their behavior when the test takes place.
Making your pen test run smoothly
By taking all of these factors into account you should be prepared for your pen test. The final steps include creating a documented plan for what the test will carry out, establishing a process to oversee the testing, and making sure that all appropriate actions are taken and recorded.