Imagine your head of IT operations turns to you, coffee in hand, and proclaims, ‘I think it’s time get a pentest done on our network!’. If your first reaction is to panic, don’t fear.
In this article, we cover some of the basic questions around pentesting and the importance of this IT process for your business and cyber security.
In short, penetration testing is the method of finding out if a network is secure by attacking it. Often shortened to pentesting, the process is a regular occurance in corporate IT and one that your business should be aware of.
Essentially, with pentesting, you’re paying good guys to do something that bad guys will do for free.
The first questions you and your business should be considering when thinking of pentesting are outlined below:
- Is your business ready for a pentest?
- What will happen if penetration testing is carried out within your business?
- When it’s over, what do we get from the pentest?
Before testing begins: Are you ready?
So, you’ve been thrust into the idea of ordering a team of hoodie-clad, over-caffeinated geeks to poke holes in your network. Is that the right move?
For those starting out on the path to becoming security-aware, some initial guidance is to check out cyber security frameworks such as those provided by NIST and US-CERT.
Another good reference point ahead of testing is the ASD’s list of Risk Mitigation Strategies.
Here are some of the questions that should be considered ahead of pentesting:
- Will your business be patching applications and operating systems?
- Will testers be applying ‘least privilege’ policy to user accounts?
- What is the business ‘defence in depth’ strategy?
- What are the company’s digital assets?
- Will the business be employing network segmentation?
The pentest process: What’s happening?
So you need to bite the bullet and order a pentest, maybe because there’s been a breach or to meet your compliance needs. But what is exactly going to happen in the process?
Once contracts are signed and arrangements have been made, pentesters will try to break into your network. But what can you expect from them and how do you know if you’re getting a good deal?
|A good tester will:||A bad tester will:|
|Find an entry point but also look for others using a thorough approach.||Stop at one point of entry and begin to move through the network|
|Document all findings and suggest remedies or resources for remediation||List some of their findings with little to no detail.|
|Provide a detailed, well-structured pentest report including diagrams and screenshots where applicable. The report will fully describe the vulnerabilities in a comprehensive way.||Send a pentest report with minimal details, maybe a copy, paste from vulnerability scan engine if you’re lucky.|
Job’s done. Or is it?
At the end of a penetration test you’ll be given a report from your vendor. This should be considered as product of the pentester’s work.
In most cases, there will be multiple issues found with your network. You and your team might spend many hours going through the report, working through ways you can beef up your network’s defences.
For assistance in securing your organisations online systems using pentesting, please do not hesitate to contact Agilient.
The Agilient Team