1. What is penetration testing and why is it important?
A penetration test identifies how a cybercriminal might successfully get into your network and systems in order to steal your data and compromise your operations. Many companies are required to provide the results of a penetration test to regulators or insurers every year, but even without an external requirement, a penetration test is an important tool for improving your cybersecurity.
Many vendors will charge a few thousand dollars to perform automated external scans of a company’s public IP addresses (i.e. network addresses that are visible to and reachable by devices outside the company’s own network) and report on which of those IP addresses is vulnerable to attack. While this information is necessary, it doesn’t go far enough in identifying network vulnerabilities.
For the $5,000 to $20,000 cost of a real penetration test, you’ll get a smart human being who emulates cyberattackers by trying multiple methods of getting into your network from the outside and the inside. For example, in addition to scanning IP addresses, the tester might send phishing emails to your employees or attempt to inject malware into your network through infected URLs and email attachments. Then the tester will use any usernames and passwords gleaned by trickery or brute force to see what systems they can access and how they can escalate the attack from there.
2. What should a penetration test target?
The test should focus on attacks that are more likely and/or affect your business most.
For example, as IT infrastructure continues moving into the cloud, your company is less likely to have critical assets behind a workplace firewall. You may not even have any on-premises servers to protect. Your penetration test should focus on the policies and processes that manage and protect your access to the cloud services you rely on: authentication, access, and identity.
3. What should I do with the results?
Most good penetration testers are eventually able to access at least part of the network when performing an internal penetration test.
That’s not a failure – it shows you where you have room to improve! So, take your results to your in-house IT team or IT support provider. They will review any vulnerabilities the tester finds, prioritize which ones to remediate first, and develop a plan for prompt implementation of the necessary hardware and software updates.
4. Who should perform a penetration test?
The best way to identify vulnerabilities is to hire a trusted third party who has no details about your network and no preconceptions about what to look for. The people who provide and manage your IT infrastructure are too familiar with it to test it. In fact, they shouldn’t even know what’s being tested.
That’s why Xantrion does not perform penetration testing. However, we do maintain a list of penetration testing vendors whom we trust to examine your network thoroughly and deliver a meaningful report we can act on. Contact your vCIO for our recommendations.