What is a pen test?A penetration test, also called a pen test or ethical hacking, is a cybersecurity technique organizations use to identify, test and highlight vulnerabilities in their security posture. These penetration tests are often carried out by ethical hackers. These in-house employees or third parties mimic the strategies and actions of an attacker in order to evaluate the hackability of an organization's computer systems, network or web applications. Organizations can also use pen testing to test their adherence to compliance regulations. Show
Ethical hackers are information technology (IT) experts who use hacking methods to help companies identify possible entry points into their infrastructure. By using different methodologies, tools and approaches, companies can perform simulated cyber attacks to test the strengths and weaknesses of their existing security systems. Penetration, in this case, refers to the degree to which a hypothetical threat actor, or hacker, can penetrate an organization's cybersecurity measures and protocols. There are three main pen testing strategies, each offering pen testers a certain level of information they need to carry out their attack. For example, white box testing provides the tester all of the details about an organization's system or target network; black box testing provides the tester no knowledge of the system; and gray box penetration testing provides the tester partial knowledge of the system. Pen testing is considered a proactive cybersecurity measure because it involves consistent, self-initiated improvements based on the reports generated by the test. This differs from nonproactive approaches, which lack the foresight to improve upon weaknesses as they arise. A nonproactive approach to cybersecurity, for example, would involve a company updating its firewall after a data breach occurs. The goal of proactive measures, like pen testing, is to minimize the number of retroactive upgrades and maximize an organization's security.
What is the difference between pen testing and vulnerability assessment?Pen tests are not the same as vulnerability assessments, which provide a prioritized list of security weaknesses and how to amend them, but they are often performed together. Pen testing is often conducted with a particular goal in mind. These goals typically fall under one of the following three objectives:
Each objective focuses on specific outcomes that IT leaders are trying to avoid. For example, if the goal of a pen test is to see how easily a hacker could breach the company database, the ethical hackers would be instructed to try and carry out a data breach. The results of a pen test will not only communicate the strength of an organization's current cybersecurity protocols, but they will also present the available hacking methods that can be used to penetrate the organization's systems. Why is pen testing important?The rate of distributed denial-of-service, phishing and ransomware attacks is dramatically increasing, putting all internet-based companies at risk. Considering how reliant businesses are on technology, the consequences of a successful cyber attack have never been greater. A ransomware attack, for instance, could block a company from accessing the data, devices, networks and servers it relies on to conduct business. Such an attack could result in millions of dollars of lost revenue. Pen testing uses the hacker perspective to identify and mitigate cybersecurity risks before they are exploited. This helps IT leaders implement informed security upgrades that minimize the possibility of successful attacks. Technological innovation is one of, if not the greatest, challenge facing cybersecurity. As tech continues to evolve, so do the methods cybercriminals use. In order for companies to successfully protect themselves and their assets from these attacks, they need to be able to update their security measures at the same rate. The caveat, however, is that it is often difficult to know which methods are being used and how they might be used in an attack. But, by using skilled ethical hackers, organizations can quickly and effectively identify, update and replace the parts of their system that are particularly susceptible to modern hacking techniques. How to do penetration testingPen testing is unique from other cybersecurity evaluation methods, as it can be adapted to any industry or organization. Depending on an organization's infrastructure and operations, it may want to use a certain set of hacking techniques or tools. These techniques and their methodologies can also vary based on the IT personnel and their company standards. Using the following adaptable six-step process, pen testing creates a set of results that can help organizations proactively update their security protocols:
Learn more about the massive SolarWinds hack and how it affects chief information security officers' agendas. This was last updated in May 2021 Continue Reading About pen testing (penetration testing)
Dig Deeper on Risk management
What is the term for the principle employed by an organization to ensure that no single individual has the ability to conduct transactions alone?Which term refers to a security principle employed in many organizations to ensure that no single individual has the ability to conduct transactions alone? Separation of duties.
Which term describes a legal document used to describe a bilateral agreement between parties?A memorandum of understanding (MOU) is a legal document describing a bilateral agreement between parties.
What are the four steps that make up the policy lifecycle?Most policy models generally include the following stages: (1) identifying the issue to be addressed by the proposed policy, (2) placement on the agenda, (3) formulation of the policy, (4) implementation of the policy, and (5) evaluation of the policy.
What step can be taken to evaluate the effectiveness of the security measures in place at an organization quizlet?What step can be taken to evaluate the effectiveness of the security measures in place at an organization? Perform a vulnerability assessment.
|