Attempting to breach your own network, server or application may sound counterintuitive, yet that’s exactly what penetration, or pen, testing is. It’s also one of the best ways to identify and remediate difficult-to-spot security issues.
There are several reasons why you may want to perform a penetration test on your own business, and there are a couple of different ways to get the job done. Before jumping in, be sure to build an enterprise penetration testing plan so you know exactly what you’re testing, the tools that will be used and who will be conducting the tests.
The why of enterprise penetration testing
The concept of a pen test is simple: Identify a target network, server or application and try to exploit it in some way. Testing can also investigate the world of social engineering and physical security exploits.
The goal of any pen test is to identify areas of weakness and fix them before bad actors have a chance to do the same with more damaging results. Without proper penetration testing and remediation as a safeguard, security vulnerabilities can lead to unauthorized access, data theft or denial-of-service attacks.
The who of pen testing
Who ends up performing the penetration test will vary based on your enterprise’s specific pen testing needs.
Tests can be run by in-house IT staff or another common practice is to hire an outside security firm. If you’re planning to perform a self-assessment, understand it may not be nearly as thorough as a third-party tester. That said, it never hurts to run in-house assessments as a supplementary procedure to a regularly scheduled test performed by a skilled external team.
The what — tests and tools
The information provided to the test team about the target may vary from one test to another to simulate different attack angles. Additionally, tests may be run as if the attacker was directly connected to the corporate LAN — simulating malicious behavior from an in-house employee or internally compromised device. Alternatively, the tests could initiate externally from the internet to mimic bad actors attempting to breach edge security components.
A penetration test may also consist of manual or automated methods designed to exploit potential vulnerabilities. Tools may include general-purpose applications, such as a packet sniffer, or they could be products from Nessus, Aircrack-ng and the Linux tool, Hydra, among others, which offer tools specifically engineered for pen testing and scanning. Finally, several data security vendors have created their own packages of penetration tools that can be used to automate and schedule tests administered without human intervention.