If your company has never done any kind of penetration testing, you’re in trouble and probably don’t even know it. Here are the top questions you should be asking and the answers you should get from a qualified testing professional.
What Is A Penetration Test?
A Sec-Tec penetrating testing report shows companies vulnerabilities that a company may not know about. These vulnerabilities might be on your network, your server, web apps, mobile platform, wireless system, modems, and printers. Pretty much any technology can be exploited by intelligent hackers. And, it’s these systems that must be tested.
The goal of a test is to find vulnerabilities before a criminal does. That way, you can fix those security threats and stay one-step ahead of would-be attackers.
When Do I Need Testing?
There are security threats out there that you don’t know about. Everyday, credit card information, sensitive company data, and client data is being stolen. Even large corporations are not safe.
Unlike a physical break-in, a data theft might go undetected for months or years. You will only know if or when the attacker decides to exploit that information and make it obvious to you. In that sense, the attacker has significant power and control over your company, can hold sensitive data for ransom, or force your company into a compromising position with no easy way out.
When Should I Do A Test?
You should do penetration testing prior to contracting for breach insurance, if you notice any viruses or malware on workstations, and anytime you implement a significant change on your website or network.
You should also test after you notice unauthorized traffic on your network, when you do a security audit for HIPAA or PCI-DSS, after you upgrade or install new software, prior to any submission of application for breach insurance, and if you store valuable information on your server or where criminals might be able to access it and you’ve never done a pen test before.
What Certifications Do You Have To Perform Pen Testing?
Look for GSEC, GWAPT, GPEN, or CEH certification in testers. It also helps if the testers have backgrounds in web development, security, and other related fields. Security specialists should also have had thorough criminal background checks and vetted prior to joining the company.
We Already Do Vulnerability Testing. Why Do We Need Penetration Testing?
Vulnerability scans use preconfigured pattern recognition. Because of this, there are many aspects of a system that won’t be scanned and some won’t be checked at all. Penetration testing covers a large number and variety of serious security faults that scanners can’t find and test.
Can Penetration Testing Break My Infrastructure or System?
A valid question. A good service provider will not break your system during the testing process. They should be focused on loss mitigation and minimizing downtime and thus risks to the company.
At the same time, a backup process should be initiated prior to testing, just to be safe. Also, some vulnerabilities may seriously exploit your network or system applications, though this is rarely the fault of the service provider and is reflective of the serious vulnerabilities in your system.
Robert Parker works as a cyber-security consultant and likes to share his insights on cloud computing and related topics with an online audience. He is a frequent writer for a number of relevant industry websites.