As hackers continue to identify and exploit vulnerabilities within organizations’ systems to obtain sensitive information, companies need to conduct penetration testing to find and remediate those flaws.
What is a Penetration Test?
A penetration test looks for ways to exploit vulnerabilities to circumvent or defeat the security features of a company’s system components, according to the PCI Security Standards Council, a global organization responsible for the PCI Data Security Standard and other standards that increase payment data security.
Dave Lewis, a global security advocate for Akamai Technologies, says in a recent Forbes piece that penetration tests “serve as a valuable tool in your information security practice.” He goes on to caution, however, that when deciding which vendor to choose to conduct the tests, “You need to be sure to do your homework,” in order to avoid the possibility of receiving a spotty job from a security professional who lacks experience.
Before You Start Testing
Before a test is conducted, the penetration tester and the organization should define the areas that should be tested, the time frame for the testing, agreement on terms and conditions, and the appropriate use of tools to be used during the test, according to security vendor Trend Micro. From there, the vendor says, a time frame should be set for how long and when the testing will take place.
As the test begins, areas that can be evaluated include websites, mobile applications, wireless systems and phone equipment, to name a few, according to application security firm Redspin. “Proper penetration testing should be conducted from both outside and inside the network, as well as wirelessly, with special consideration given to specific areas most often exploited by hackers, including bugs in software, password weaknesses, and errors in design and configuration,” the company says.
Analyzing Your Findings
Once the test is finished, a report on the findings is paramount. According to the PCI Council, information to place in the report includes an executive summary on the major findings; a detailed definition of the scope of the network and systems tested; details on the methodologies used to complete the testing; and an assessment of how the testing progressed, among other items.
Successful penetration tests will “help you better protect your IT security, including network infrastructure, critical systems and confidential data,” Redspin says.
If security is on your radar as an organization—good. It should be. The security experts at ADAPTURE are available for high-level firewall penetration testing and consulting on security best practices.