Penetration Testing Overview
A penetration test is an attempt to evaluate the security of an IT infrastructure by safely trying to exploit vulnerabilities. These vulnerabilities may exist in operating systems, services and application flaws, improper configurations or risky end-user behavior. Such assessments are also useful in validating the efficacy of defensive mechanisms, as well as, end-user adherence to security policies.
Penetration tests are performed using manual and automated technologies to systematically compromise servers, endpoints, web applications, wireless networks, network devices, mobile devices and other potential points of exposure. Once vulnerabilities have been successfully exploited, testers may attempt to use the compromised system to launch subsequent exploits at other internal resources.
Information about any security vulnerabilities successfully exploited through penetration testing is presented to IT and network system managers to help make strategic conclusions and prioritize related remediation efforts. The fundamental purpose of penetration testing is to measure the feasibility of systems or end-user compromise and evaluate any related consequences such incidents may have on the involved resources or operations.
- Intelligently manage vulnerabilities
- Avoid the cost of network downtime
- Meet regulatory requirements and avoid fines
- Preserve corporate image and customer loyalty
How Often Should You Perform a Pen Test?
Penetration testing should be performed on a regular basis to ensure more consistent IT and network security management. A pen-tester will reveal how newly discovered threats or emerging vulnerabilities may potentially be assailed by attackers. In addition to regularly scheduled analysis and assessments required by regulatory mandates, tests should also be run whenever:
- New network infrastructure or applications are added
- Significant upgrades or modifications are applied to infrastructure or applications
- New office locations are established
- Security patches are applied
- End user policies are modified
Ideally, you will want to run a penetration test once a year. Vulnerability scans should be run continuously. Vulnerability scans should be run by your own staff, so that they can build up a baseline of what is normal for your information security program. Penetration tests should be run by an outside consultancy so that the benefit of independence and “outside eyes” can be garnered. Together penetration testing and vulnerability scanning are powerful tools used to monitor and improve information security programs.