Chris Fortune – [Security Consultant]
Penetration testing helps businesses understand if their investment in security actually affords them the protection they want. To help in your understanding, let’s start with defining some terms to make sure we are using the same vocabulary.
- Threat – agent or actor that can cause harm
- Vulnerability – a flaw someone can exploit to cause harm
- Risk – Where threat and vulnerability overlap
- Exploit – code or technique that a threat uses to take advantage of a vulnerability
- Penetration testing – involves modeling the techniques used by real-world computer attackers to find vulnerabilities and under controlled circumstances to exploit these flaws in a professional, safe manner according to a carefully designed scope and rules of engagement to determine business risk and potential impact. All with the goal of helping the organization improve security.
- Security/Vulnerability assessment – focus is on finding security vulnerabilities, which may or may not be used to get in or steal data. These assessments are broader, and often include explicit policy and procedure review.
Now that we have a common vocabulary, you might be thinking “How is a penetration test different than a vulnerability assessment?” The difference is action – the penetration test aims to breach the security of the business, where a vulnerability assessment is simply an evaluation of your organization’s security posture.
A penetration test can help answer the following questions:
- Can vulnerabilities that are found be exploited to gain access or steal data?
- Can lower-risk vulnerabilities be exploited in a way together that opens up a higher-risk vulnerability?
- What does this mean to the business or operations if successful?
- At what level can your business successfully detect and respond to attacks?
Other reasons a penetration test can provide value to your business:
- Meeting compliance with regulatory standards
- Automated network or application vulnerability scanning software can have difficulty detecting some types of vulnerabilities.
- Provide evidence to support increased investments in security personnel and technology
- Post security incident- to validate new security controls put in place will stop a similar attack in the future.
Penetration tests can be scoped to your business needs from general to narrow. On the general side of scope is a black box test. The tester is given little to no information and tries to see if they can get access or business information. On the narrow side of scope is a white box test. This could be something like testing a new application with full knowledge of what it should do. The tester in this case is given valid user accounts with different roles like a regular user and an admin user to test what each can do in the application.
If you would like to discuss penetration testing and the value it can bring to your organization, please contact your Keller Schroeder Account Manager to begin a discussion with our certified penetration testers.