Have you ever had that feeling when, even after leaving your house, you’re not sure whether or not you remembered to lock the door? Sitting in your car in the driveway, you stare at the doorknob of your home, not sure of whether or not it would simply let anyone inside. As you rack your brain to remember, you also then wonder if your windows are also locked.
“Could someone get inside? How good a job have I done in securing my home? How susceptible is it to entry?” This is an immensely familiar feeling. However, in most instances, shaking the doorknob results in a fully locked door.
A less familiar feeling, however, with perhaps a more damaging outcome is having the same sensation for your systems.
- “How robust is our password protocol?”
- “How secure is our data encryption?”
- “How vulnerable is my company’s data to hacking?”
To answer all of these questions, a professional pen test is required.
“A pen test? As in scribbling on a scrap piece of paper?”
No, not a writing utensil. “Pen” is short for “penetration”—the vulnerability of your company’s cybersecurity precautions against malicious threats.
What is pen testing?
Penetration testing (or “pen testing”) is the process of having a team of “whitehat” (ethical) hackers to test the full strength of your company’s cybersecurity efforts. During a pen testing scenario, these hackers-for-good will attempt a variety of techniques to penetrate your best defenses. Not only are regular pen tests incredible tools for keeping your IT department on their toes rather than their heels, but each pen test provides immense insight on which vulnerable points of entry need attention.
Your Pen Test Journey
Determine Your Reasoning
Its a good idea to be vaccinated to keep from getting sick. However, it makes little sense to receive a vaccination for the Black Death, a plague that peaked in the 1300s. You’ll want a flu vaccine for the strain in your area. In the same vein, you’ll want your pen test to have a specific goal. Why are you performing this pen test? What are your concerns? If you’re not sure of what areas to hit first, just like a doctor can recommend the best vaccine, a Managed Network Services professional can advise you on developing a worthwhile pen test goal.
A pen tester will begin research on your company’s data system. These research methods are similar to those used by blackhat (unethical, malicious) hackers when attempting to find vulnerabilities in your organization’s cybersecurity system.
Attack of Vulnerabilities
Once apparent vulnerabilities and system weaknesses are found in the system, the pen tester will attempt to exploit these in the way a blackhat hacker or malware program would. These vulnerabilities are typically some of the most accessible entry points into your system.
Brute Force Hacking
When vulnerabilities aren’t as apparent, some cyberthreats attempt to brute-force hack their way through your company’s protections. Brute force hacking can exploit poor password etiquette on the part of your company. Flimsy passwords that are either easily cracked or systems that allow for too many re-try attempts can make brute force attacks the entry point for a blackhat hacker or malware program.
Phishing, Spearphishing & Malware
Another accessible entryway into a company system is through social trickery. Perhaps someone opens an email that they shouldn’t have, click on a link, or download a malicious attachment—these activities have resulted in major data breaches. These methods and many others are the equivalents of a burglar tricking you into unlocking your door for them. Some of these tricks include phishing, spearphishing, and even those old “found this USB flash drive in the parking lot” trick.
Once pen testers have gained access, some will roll out controls of the system utilized by blackhat hackers or malware programs. These include, but are not limited to data theft, taking screenshots, turning on webcams, and many others. Though this can almost seem uncomfortable for a business, the deepest pen tests reveal the most compromising weaknesses in a system. These in-depth analyses provide the best information for guarding against such threats.
Reporting of Activities
Following a complete analysis of the pen test, an exhaustive report is created that informs the business of everything the whitehat pen testers were able to accomplish. Included in these reports are typically recommended next steps for the company or organization to perform to prevent blackhat cyberthreats from achieving similar and even more malicious goals.
Ready for your pen test? No? Even better.
In this hyperconnected age, you really can’t afford not to have a pen test performed on your company’s system. You not only owe it to the future success of your company, but also to every client or customer who has trusted your organization with their sensitive data.