What is Pen Testing?

A Pen test is when a non-malicious actor attempts to compromise your company’s security by simulating cyber attacks on computer systems, networks, applications and people, in order to discover any vulnerabilities that could be exploited. This is a process known as Ethical Hacking.

Unlike a malicious security breech, when an ethical hacker discovers vulnerabilities, they are reported back to the company so that the issue can be fixed before it can be discovered by someone else who would want to harm the company. This fix might include a security update to software, a new or updated firewall, or a policy on how staff should behave, to prevent it happening.

What does a Pen test involve?

There are different types of Pen testing, including Both External and Internal cyber-attacks, social engineering, and physical security. The most common type of test checks to see if you are vulnerable from the Internet, and will include testing of firewalls and security software to ensure they are providing the protection needed.

Social Engineering looks at how susceptible staff are to being manipulated by confidence tricksters into revealing sensitive company information, or inadvertently granting access, either in person, or online via phishing scams.
Physical security looks at how easy it is for someone to infiltrate the premises. Do all Employees wear ID badges, are sensitive files kept locked when not needed, and is access to high security areas of the office restricted by a lock or electronic access system.

What isn’t Pen testing?

Pen testing, even if a vulnerability is found and fixed, is not a guarantee that there are no vulnerabilities. Tests will usually have a specific scope, agreed on at the planning stage, and it’s important not to forget that other potential risks may exist outside the scope of what is being tested. There’s no point installing high security locks on all the doors if you leave a window open.
New threats are a constant in the cyber world, and even the best Pen testers may not be familiar with all the tools a malicious actor might have at their disposal.

If you’ve already considered security, why is Pen testing important?

Pen testers are professionals trained in knowing how to look at all the different potential avenues of attack. We are all only able to prepare for things we know are coming. Pen testers are able to investigate, test and brief you on a wider range of attacks that previously might not have been considered.

When should you Pen test?

There’s no time like the present. If you don’t already review your company or cyber security, then the time to put some testing in place is now. The type of testing needed will vary, depending on what tools and processes are used, but it’s recommended that for most situations, testing should be conducted between one and four times a year, and that both cyber and physical security should be included and reviewed in that time.

There’s no such thing as 100% secure, but reasonable steps can be taken to ensure a company is as close to that goal as is practical. If you'd like to discuss Pen testing, whether you're a client of ours or not, please contact us here.