What is penetration testing? A guide from Jumpsec

Penetrating testing is an interesting business and industry that has exploded in recent years. We speak to cyber security specialists, Jumpsec, to find out more.

What is a Pen Test?

A penetration test is also known in the industry as a “pen test” or more broadly ethical hacking. A business undertakes it as an approved mimicked cyberattack. It is undertaken to assess the safety measures put in place by the business to protect computer systems. It is also used to investigate the potential for unsanctioned factions to try to gain access to classified and confidential information. Initial penetration tests can occur before a full risk assessment to qualify whether one must be implemented.

The main aim of implementing pen tests is to detect any vulnerability in security systems. Every day in the United Kingdom, just under every thirty seconds, a small to medium business is unfortunately cyber-attacked. A pen test is implemented to help flag such weaknesses within a business, in order to stop this from ever happening in the first place.

Industry professionals look to penetration testing in cybersecurity in the same way that bankers regard a financial audit. The team looking after the companies' money tends to track their ingoing and outgoings, as well as their income day-to-day. An examination performed into this area by a third party group makes sure that all policy and core practices are working safely and securely for the business.

A penetration test also works to make sure all interior safety measures are robust and up to date. Any test should give a findings report, and this report should help enhance a company’s internal security processes.

Who does the penetration testing?

An outside entity should be tasked with performing a pen test. These people are also known as ‘ethical hackers’. It is highly recommended that the organisations who are undertaking a pen test use penetration testing companies inducted into organisations including CHECK, CREST, Tiger or Cyber schemes. This is because when an ethical hacker is undertaking a pen test, they are sometimes gathering sensitive data and information that could, if in the wrong hands, be used to plan an actual assault on the company.

The ethical hackers breach the defences and then find their way to the system all the time, working to find any core weaknesses within the system. The ethical hacker then ends the pen test by exiting the system, masking how they left the system, leaving everything as it was before the hack took place. Once this is complete, they compile their findings, working with the company’s security team, making recommendations on any security improvements that should be implemented in the long and short term.

What are the types of penetration testing?

There are many different penetration tests that can be carried out, and it is something that can be offered by penetration testing companies like Jumpsec.

In most cases tests are usually undertaken in the form of open-box tests. The ethical hacker is given snippets of information regarding the company’s security. A closed-box test occurs when there is no background information given to the ethical hacker leading them to undertake the test blind. Covert tests exist to take things one step further. This is when only a select few people inside the company know that the test is happening.

Routine penetration tests are vital for the smooth operation of any business that wants to make sure that it’s data is guarded safely. The pen tests are advantageous for a business to demonstrate its current security defence infrastructure is working well. If for any reason this infrastructure is to grow, it then becomes important to further test to determine if these alterations to the system may have negatively impacted security, or simply uncovered something that could have been missed.

Penetration tests are particularly vital for businesses and enterprises that need to demonstrate their compliance with specific rules and regulations, such as DSS, PCI or ISO 27001. When businesses operate in these sectors, testing is often a standard necessity.

What are the outcomes?

The results of pen test can be applied to help organisations understand any extra upgrades that can be made to an organisations' protection system. The information from a thorough pen test helps internal cyber security experts assess which areas of the business require additional focus to help mitigate external risk. Pen test can therefore be used to help IT departments justify an increase in security budget, or help to provide hard examples of any critical flaws that need to be actioned in the short term.

Penetration tests should be performed fairly often. Whenever there is a significant change made to the organisation's online infrastructure, additional sectors of the business are obtained, or even quarterly, as risks and vulnerabilities do develop constantly.