The Primary Purpose of Penetration Testing

How to Protect Your Digital Fortress from Danger

The online world continues to expand. People spend more time (and more money) online than ever before, and there seems to be no signs of that trend slowing in the near future. Propelled by convenience, and given some extra momentum by a pandemic that limited people’s ability to do much real-world interaction, individuals have fully embraced life online.

And where the people have gone, businesses have been swift to follow. In the 4th quarter of 2021 alone, the US saw online commerce expand to $218.5 billion. The internet has provided businesses with an easy way to reach and serve customers, and a new way of approaching business with less overhead and more efficiencies than ever before.

But in this digital realm, these new ventures come with new vulnerabilities, ripe for criminals to exploit.

A Virtual Carcassonne

Nearly every business in this modern age holds a treasure trove of valuable information, not just companies that deal in ecommerce. Nearly all elements of business are now being conducted online, from internal communications and customer mailing lists to credit card numbers, trade secrets, and private employee information. If a business’ leadership is smart, they will set up security measures to ensure that this information is secure; after all, this information, stored within the company’s databases, can tempt criminals to hack your company’s network and steal it for profit or exploitation.

In a lot of ways, businesses today must mirror the walled cities of ages past. These cities were centers of trade, government, society, and military power, with high walls encircling the most valuable areas and well-guarded gates that monitored the flow of people and goods in and out of the city. A business needs its own virtual walls and gates to ensure that the right people can access its databases, and that the wrong people are turned away.

Penetration testing, or pentesting, is the best and most thorough way of ensuring that these walls and gates are doing their job well. After all, the primary purpose of penetration testing is defense.

Penetration Testing: The Practice of Defense

In chapter 6 of Sun Tzu’s The Art of War, there is an almost perfect description of the purpose of pentesting: “You can be sure of succeeding in your attacks if you only attack places which are undefended. You can ensure the safety of your defense if you only hold positions that cannot be attacked.” 

While pentesting cannot remove the vulnerable positions in a business’ online resources, it can ensure that those positions will not give way when the attack comes. 

What is a Penetration Test?

A penetration test involves a group of security experts researching, testing, and documenting vulnerabilities in your company’s network. Depending on the scope of the test, these experts can test your network’s defenses from outside or within a business’ firewalls and external protections. 

It is important to recognize that a pentest is not the same as a vulnerability scan. A vulnerability scan is a thorough review of a network using scanning tools that analyze the network’s many elements and search for known vulnerabilities; the scanners keep a constantly updated database of reported vulnerabilities that could be exploited and search specifically for those weaknesses. Any weaknesses identified are then reported, and it is up for the network’s owner to ensure that these vulnerabilities are patched before they are exploited.

While vulnerability scans are useful and should be used regularly to ensure that easily correctable weaknesses are taken care of, penetration testing goes far deeper, with experts trying to exploit the weaknesses they find, and seeing just how much damage could be done through that weak point. They also test for weaknesses in the human side of an organization, using phishing schemes and other means to find ways of accessing a network, and thus pointing out crucial behavior and policy issues that need to be addressed.

Enter PlexTrac, the perfect tool for reporting and remediating the vulnerabilities you uncover through your penetration testing efforts. Book your live demo today to see why the best pentesting begins and ends with PlexTrac.

Why is Penetration Testing Important?

Like the walled cities of old, business is only as good as its defenses. Your business model may be excellent, you may have millions of happy and returning customers, you may have reliable supply chains and dependable employees, but if your business’ defenses are weak, then it will be only a matter of time before the gates are breached, the walls are scaled, and your business will be pillaged and burned to the ground.

Consider the risks of not having a sufficient defense protecting your online assets.

The chances are good that nearly every detail of a given business’ operations are stored on their databases. From employee’s social security numbers and client contracts, to trade secrets and internal financial information, practically all of the business’ processes and operations are accessible digitally. Now, imagine the damage if this information was stolen, and either published online or sold to their competitors. These competitors could exploit intellectual property, minimally underbid their rival business to steal clients, and reveal information that would lower their rival’s standing in their industry.

And consider the financial risks. Even small businesses keep an astonishing amount of financial information on hand. Although customer transactions with a business may be encrypted, customer payment information is usually still recorded in their databases, and oftentimes those records are not encrypted. And beyond the customers, there is often a gold mine of internal financial information stored on business’ databases, with no limits on access beyond a departmental block or a simple password. If a criminal were to access this information, not only would the business and/or its customers take a serious financial hit, the business’ reputation would suffer and it would likely lose existing and future customers as a result.

There are more risks beyond these, but hopefully these examples illustrate just how important it is for your business to have strong defenses in place against the criminals that may even now be trying to access your information. And the best way to ensure that you have the right defenses for your business, and that those defenses are doing their job, is by conducting regular penetration tests.

Testing Your Defenses

When a penetration test is planned, the scope and duration of the test will depend on a variety of factors, including the size of the client, the number of anticipated vulnerabilities, budget, security goals, and the business’ industry. If you have a small business with limited operations and few employees, the test might be simpler; if your business is in the financial industry and has multiple physical locations and hundreds of employees, the test may be much more involved.

A good pentesting team will be able to analyze a business’ digital structure and operations, and determine where and how the pentests will take place. Below are some of the defendable areas that a pentesting team would tackle. 

1. Network Infrastructure. Probably the most common target of pentesting, the network’s potential vulnerable points – firewalls, routers, servers, switches, and more – are researched and tested using both an external (pentesters have only publicly accessible info to start) and internal (pentesters have access to privileged information) approach.
2. Wireless Networks. Onsite wireless networks need testing to ensure that devices connected to the business’ wifi would not give criminals access to unauthorized data. The pentesters would check for lax encryption, device monitoring, wireless network structure, weak passwords and more.
3. Web and Mobile Applications. Web and mobile applications are the means by which businesses and their customers interact, and by their very nature are porous and vulnerable to attackers trying to access information. App pentesting is often very labor intensive for that very reason, as the pentesters must investigate every app endpoint that is open to user interaction.
4. Employee Awareness(Social Engineering). According to PurpleSec, a whopping 98 percent of cyber attacks rely on social engineering, where the criminals trick users into revealing security information to them, such as passwords or network information. Pentesters will often use phishing, vishing (voice-based scamming), and smishing (text-based scamming) to test a business’ employee training and internal security safeguards.
5. Physical Safeguards. Though not often exploited, a criminal could quickly and easily cause havoc if they gained physical access to a business’ devices or servers. The pentesting team would attempt to gain access to the business’ buildings, servers, and infrastructure, looking for locks, ID checks, and other defenses.

Strengthening Your Defenses

Penetration testing, when performed on a regular basis, can help your business identify the weaknesses in its digital defenses. If the pentesting team has done their job well, they should provide your business with a thorough report of their methods, their findings, and their suggestions for risk remediation. From there, the next steps are up to your business’ leadership, to take action on these suggestions and shore up the vital defenses that will keep your business running smoothly and safely into the future.

In this digital era, no business can afford to have a lax approach to information and digital security. The stakes are too high, and the consequences too serious, for business owners and leadership to ignore possible cybersecurity threats. Fortunately, with a good pentesting team, and a leadership team willing to learn and take action when needed, any business can build up its digital defenses.

The best penetration test is only as good as the report that comes out of it. Learn more about translating your l33t skills to written word with our “Writing a Killer Penetration Test” white paper.