Protecting computer networks is not a ‘set it and forget it’ business. To have the best chance of remaining unscathed, a network’s defences must be continually monitored and tested. The second part of that equation is where penetration testing (commonly referred to as pen testing) comes in.
Our newly released guidance will help those who need it determine how to go about commissioning a penetration test, and ensure the most is made of this essential but expensive resource. This blog post can help you to decide when you are likely to get the most benefit from penetration testing.
What is a pen test?
What we want to know is: How easy would it be for an attacker to get unauthorised access to our computer network? In essence, how safe are we from malicious attempts to break in and steal, deface or destroy our virtual valuables? Are the various security controls we have in place working together, providing the level of security we expected? And, ultimately, should we be looking to boost our security?
We’re not talking about the average home network here. Even if you have been gradually accumulating PCs for the last couple of decades you’re unlikely to need a penetration test.
The kind of networks that need testing are often large scale, complex, corporate systems. Possibly with thousands of machines, but definitely containing assets which MUST be protected: Credit card details, personal data, secrets. The kind of things bad people want to steal, but also the kind of things for which you could be held to ransom.
The testers and the test
The knowledge, skills and even the tools deployed by pen testers have much in common with the ‘very particular skillset’ of the hacker. This is no accident. The pen test tries to emulate a real world assault on your cyber defences. As a result, there is some risk of disruption, but using a good pen tester will minimise the risk.
Your choice of testers is critical. What makes a penetration test so valuable is that it deploys highly skilled human minds against your defences. The quality of these minds is what you’re paying for, so it’s important to make sure the team doing the testing has recognised technical abilities, and ethical principles.
The simplest difference between a pen test and an actual attack is that a pen tester will record any vulnerabilities uncovered, document them to be dealt with, and assist the customer in finding such issues themselves. This should all be made clear to you in a way which is genuinely useful.
Ideally, you should know your own systems well enough that a penetration test only confirms your understanding. Pen tests are a fairly expensive process, and in most cases an infrequent one. So if you don’t have a “business as usual”, security testing regime in place, a pen test will be of limited value.
Guidance
If you are considering a penetration test, take a look at our detailed guidance before you engage a team of professionals.
Along with a break down of the different types of pen test, we’ve also outlined how a model process would work, how to hire and brief a team, and how to make the most of their findings.
If you follow the advice we’ve laid out, you’ll be sure to get the maximum benefit from this highly specialised form of security evaluation.
Source: National Cyber Security Centre
