1. What is penetration testing?

A penetration test evaluates the security of information technology systems in an organization’s network. The main goal of a penetration test is to discover and attempt to exploit any vulnerabilities that may exist on an organization’s internal or external network and systems. These tests can be performed onsite or from a remote location without disrupting daily business functions. Once testing is completed, a report is provided that details the test’s findings. The report typically contains recommendations for remediation of the identified vulnerabilities to help mitigate the risk of a cyber-attack.

2. Is it necessary to perform both external and internal penetration tests?

It is imperative for an organization to conduct both an external and internal penetration test on an annual basis. External penetration tests target a company’s visible servers and devices, while internal penetration tests mimic an attack behind the firewall. Most attempts to gain access to an organization will originate from an external source, making external penetration testing the traditional, more common approach. However, internal penetration testing is just as important. If an attacker is able to penetrate an internal network, they could easily gain access to sensitive and confidential information. An internal penetration test often replicates a scenario in which an employee has been manipulated by an attacker to provide confidential information or the efforts a rogue employee might take when attempting to compromise an internal network and access valuable information.

3. How does penetration testing differ from a vulnerability scan?

Penetration testing and vulnerability scanning are two very different preventive measures for protecting against cyber-attacks. Vulnerability scanning is considered a passive method as scans provide information about network configuration issues only. While a vulnerability scan does identify vulnerabilities such as software that requires patching, it is up to information security staff to determine how the vulnerabilities will impact the network, identify any false positives, and implement a remediation plan.

Penetration testing is considered an active method and is a controlled, real-world way to determine exactly what data a malicious individual could obtain access to if an organization’s network is compromised. It should also be noted that a penetration test often uncovers vulnerabilities that can’t be detected by vulnerability scans. For example, a penetration test can detect traffic as it travels through the network to verify information in transit remains secure, which a vulnerability scan is unable to detect.

The best way for an organization to validate existing threats to their network is to perform vulnerability scanning monthly, at a minimum, and to perform penetration testing annually.

4. Why is penetration testing important to an organization’s risk management strategy?

Penetration testing should be an integral part of every organization’s risk management strategy because it can help determine whether existing security policies are effective, uncover unknown vulnerabilities and provide organizations an opportunity to remediate the identified vulnerabilities before a data breach occurs. Data breaches are not only very costly but also impact the reputation of an organization, so a controlled test that detects vulnerabilities an attacker could actually exploit is invaluable.

5. Do penetration tests cause any disruption to an organization’s network?

A penetration test is performed in a controlled environment; therefore, any impact to the organization’s network is minimal. Prior to conducting a penetration test, the individual performing the test should meet with members of the organization to determine the objective and scope of the test, including the networks and systems that will be tested and the staff involved. To ensure minimal impact to normal business functions and operations, the timing and duration of the tests, as well as the rules of engagement, should also be discussed at this time.

6. How often should an organization have a penetration test performed by a third-party?

It is considered best practice to have both an external and internal penetration test performed on an annual basis. New vulnerabilities are discovered regularly, so it is vital for organizations to stay ahead of evolving threats. In addition, organizations undergo various IT-related projects throughout the year, so any major configuration changes to the network should be thoroughly tested to guarantee they will not expose the organization to unnecessary risk.

7. What are the most common vulnerabilities found during a penetration test?

The most common vulnerabilities discovered during a penetration test are related to network configuration. Many of the default systems organizations use to communicate over their network actually allow malicious individuals to capture information as it travels through the network, leaving the organization vulnerable to a data breach. Another very common vulnerability originates from device and service configurations. For example, leaving the default configuration on a copy machine might not seem harmful, but it provides an attacker the ability to access documents scanned by the printer and other network information that is stored on the device itself.