Cyber-attacks are cheap to conduct, but expensive for organizations that are hit by them. Botnets can be hired cheaply, hacking software is readily available, and even those without technical or practical knowledge can purchase attacks as a service.
Attacks can cripple a company’s systems, they can lead to large fines and reputational damage, and the low investment necessary to conduct an attack means that no business is too small to be targeted.
That is where penetration testing (‘pen testing’) comes in. It is essentially a controlled form of hacking in which a professional pen tester, working on behalf of an organisation, uses the same techniques as a criminal hacker to search for vulnerabilities in the company’s networks or applications.
Penetration testing is widely acknowledged as an important part of cyber security (it is, for instance, a requisite part of a number of regulatory standards and compliance schemes), but, like any security mechanism, it is not perfect.
Pros
• They can identify a range of vulnerabilities.
Businesses are exposed to a host of potential threats, and each might be able to exploit hundreds of different vulnerabilities.
Such vulnerabilities are open to potentially devastating attacks, such as SQL injection, and things as apparently benign as error pages can provide attackers with enough information to exploit a less obvious and much more harmful vulnerability.
• They can identify high-risk weaknesses that result from a combination of smaller vulnerabilities.
Taken on their own, small vulnerabilities may appear negligible, but hackers often seek out these weaknesses to create intrusion sequences that take small, steady efforts to pry open security gaps into much larger weakness.
These gaps are often overlooked by the company or automated security systems, but given that pen testers replicate a hacker’s methods, they will be able to identify such points of entry.
• Reports will provide specific advice
The final step of a penetration test is reporting the vulnerabilities. Unlike automatically generated reports from tools that offer generic remediation tips, reports from penetration tests can rank and rate vulnerabilities according to the scale of the risk and the company’s budget.
Cons
• If they’re not done right, they can create a lot of damage.
Tests that are not done properly can crash servers, expose sensitive data, corrupt crucial production data, or cause a host of other adverse effects associated with mimicking a criminal hack.
• You are required to trust the penetration tester.
Penetration testing essentially means that you’re inviting someone to hack into your systems, so you’re relying on the tester not to abuse their skills and knowledge.