What is Penetration Testing – And Why Your Business Needs It

What is Penetration Testing – And Why Your Business Needs It

No matter the industry, every company or organization is a potential target for cyberattacks.  That’s just the reality we live in. While the news is too often full of high-profile examples of ransomware attacks and data breaches, it’s not just major corporations who suffer. From dentist’s offices to accountants, any computer system of any size is potentially vulnerable to the malicious intentions of cyber criminals. 

That’s the bad news.

The good news is that a little bit of annual or semi-annual preventative maintenance can go a long way toward keeping your organization’s data safe. There are a lot of basic, ongoing ways to improve data security and mitigate risk. But for more substantial protection, you should be performing penetration testing at least once a year. Preferably twice.

Let’s start with the basics.

What Is Penetration Testing?

Penetration testing, also known as pen testing, is an ethical attempt by security experts to gain access to your network or system. It’s a controlled exploration of your security perimeter, similar to walking around a house and checking all the windows and doors. Except unlike an inquisitive neighbor who just gives up when the door doesn’t open, a security expert performing penetration testing will go ahead and try to pick the lock. Because that’s what an experienced cybercriminal will do.

The goal of penetration testing is to find a way into your security system in order to bring any vulnerabilities to your attention. You can’t fix it if you don’t know it’s broken. 

In order to figure out if there are any metaphorical broken windows or locks, a penetration tester will:

1. Scan for any and all public facing IP addresses granting access to your system
2. Find any and all open ports
3. Open a remote desktop protocol to leverage the open ports
4. Enter a brute force attack to try to get in

Hopefully, a well-fortified organization has monitoring in place to send alerts when somebody comes pounding on the electronic doors. If not, however, then it’s entirely possible that an intruder will make it inside.

How Does Penetration Testing Work?

Penetration testing and cyberattacks are both shooting for the same target – accessing your system and reaching your data. So, another header for this section might be: how do cyberattacks work? The mechanisms are basically the same, the difference is just in the intent.

The goal of a pen test is to find vulnerabilities and try to break through them. That might mean trying enough combinations of usernames and passwords to guess the way in. It also might mean acquiring login credentials to make getting through the door a lot easier.

Scripts

Unlike a live person trying to pick a real lock, cybercriminals can rely on computers to do the work for them. Scripts are sophisticated programs designed to run through an infinite combination of potential passwords – never tiring, never running out of steam. 

A script will begin with a username and then quickly and methodically work its way through an entire dictionary of potential passwords, appending numbers to the end of words. That’s why “Password4321” and “Unlock99” are really, really bad passwords. 

This is also why it’s not just important to protect passwords but usernames as well. It’s shocking how often we see default usernames left in place. “Admin” is a much too easy starting point for a program trying to maliciously access your system. Having a username to start with means the lock is halfway picked.

Phishing

Backing things up a step, cyberattacks often begin with attempts to access login information. Those suspicious emails are suspicious for a reason. Clicking on a link from someone with malicious intent can unleash a whole host of chaos into your system. 

Spam filters will do a lot of heavy lifting to keep junk out of your inbox, but they aren’t infallible. Sophisticated cybercriminals are experts at making things appear legitimate. Employees have to be vigilant about verifying the sender, and security training is a key factor in keeping your data safe. 

Phishing exercises (like pen testing) are a great way to keep folks from giving away important information or accidentally letting malware into your system.

Why Penetration Testing Is Vital

Not to provoke paranoia, but again, the truth is that any organization is potentially vulnerable to cyber attacks. It doesn’t matter how big or small your business might be, it’s a possible target. 

Access to data is the currency of cybercriminals. Some might be trying to rob banks while others are looking to steal wallets. While a metaphorical wallet-full of data might not be as lucrative as a bank, it’s also easier to steal. 

Learning about your vulnerabilities is the only way to rectify them, and you won’t know they’re there if you don’t look for them. Software and hardware and all the pieces of technology we rely on to do our business on a daily basis are constantly being updated. No matter how excellent your IT team might be, it’s still important to do a routine check.

You might think of this kind of security maintenance like going to the dentist. Just because you diligently brush and floss your teeth every day doesn’t mean you’ll be immune to cavities. Having great security protocols and procedures in place will go a long way toward keeping intruders out. But you still want to get that metaphorical X-ray to double check. 

Basic Recommendations For Pen Testing

Depending on the size of your organization, a pen test might take as little as a few days or up to a week and a half. It’s not a small undertaking, but it’s also not as onerous as it might seem. 

• Perform a pen test at least once a year, preferably twice
• Use a variety of tools to attempt to gain access
• Test all points of entry – website, email, firewall, hardware
• Run phishing exercises around the same time
• Afterward, review the monitoring systems and implement alerts

Ideally, on a semi-annual pen test cycle for a large organization, you’d have an internal team run a penetration test once a year and hire a third party to run another one. This will ensure a thorough investigation of vulnerabilities – we can’t see our own blindspots, after all. 

For organizations of any size, however, getting a top team to take a crack at your system is a vital step in securing your data. Point Solutions Group’s security experts can perform a rigorous penetration test and assist with any security improvements should vulnerabilities be found. We’ll help ensure you’ve got all the policies, procedures and monitoring systems in place to keep your data on lockdown.