The penetration test is an industry standard security test to determine the security level of an IT infrastructure by attempting to exploit a number of vulnerabilities (with the appropriate authorization) of the system including but not limited to; the operating system, application flaws, configurations and potential end-user behavior that could pose risk. By deliberately attempting to hack into their own system technicians can assess the efficiency of their defensive mechanisms and so can better manage their systems by spotting potential vulnerabilities before they are exploited by hackers.
Ordinarily tests would be performed manually by an in-house security technician or an independent security consultant service with the help of automated technologies and software designed to simultaneously attack the system’s network, its devices, servers, applications and other points of weakness. If any vulnerabilities are found then technicians will attempt to see how far they can penetrate into the system to see what else could potentially be exploited. The information gathered from these tests is then compiled and presented to IT and network managers in order to advise them on how secure their infrastructure is and priorities areas which need to be secured further and to revise practice and procedures.
This may seem like a lot of work for something that bears very little fruit however nothing could be further from the truth: a 2014 study conducted by the Ponemon Institute, it was concluded that a data breach costs the affected company $3.5million in direct losses; this includes the financial effects of negative press, loss of customers as well as legal fines and penalties, not to mention the value of the data itself that has been lost.
Although there is no set standard as to how often penetration testing should be performed it is strongly advised that they be run on a regular basis to ensure consistent network management and to discover and remedy new threats posed to IT systems before they are exploited by attackers. It is strongly advised that penetration tests should be performed whenever; new network infrastructure added or altered, new office or network locations are established, new security patches have been applied and if end-user policies are modified.
Not only does penetration testing allow network managers to efficiently deal with the risks posed by network vulnerabilities, it also profits the organisation by reducing periods of network down-time for maintenance, helps to avoid fines posed by the government and other regulating authorities for failing to meet security requirements, but also helps to preserve customer loyalty. All in all it is something that every business should be investing in.