What is penetration testing and why is it important for businesses?

  • Guides

The rise of information technology has also led to a rise in cybercrime. In addition to preventing intruders from forcing their way into a building and stealing a safe, companies now also need to prevent unauthorised access to their networks.

In the same way that an organisation hires a security expert to probe for vulnerabilities in the locks, cameras and alarm system of its premises, businesses also hire experts to look for weak points in their data management and information systems. This process is commonly referred to as penetration testing (also known as pentesting or a white hat attack).

Because security systems are only as strong as their weakest vulnerability, penetration testing has never been more important. So how can you use its power to qualify your information and data systems’ strength and security?

What is penetration testing?

Penetration testing is a practical method of assessing how the strength of a company’s security systems by simulating an attack.

Hackers and malware will attempt to abuse gaps in security to exploit weaknesses and gain entry into a system in what’s known as a data breach. Closing these holes is essential to stop the unauthorised accessing of data on the business network. Penetration testing identifies these frailties with rapid precision, empowering the organisation to make the appropriate changes.

All professional bodies in the UK are expected to work in collaboration with the National Cyber Security Centre so that security measures reach a certain standard. This also ensures that these professional bodies stay on top of the latest threats and the countermeasures required to stop them.

In short, penetration testing stops hackers gaining access to company systems by exposing weaknesses and allowing the appropriate authority to take preventative measures.

How does a penetration test work?

A standard penetration test usually encompasses these stages:

  1. Surveying – the first stage of testing involves scouting out the network and reviewing the publically available information that could later inform a plan of attack. Both social engineering and research could be employed at this early juncture.
  2. Scanning – specific tools, applications and techniques are applied to the network in order to form a more comprehensive view of its strengths and weaknesses. Tests often employ malware and email viruses to gain access to the systems, which then feedback whilst exploring the recesses of the network.
  3. Access breach – this stage of the test is when the security personnel make their move and attempt to gain entry into the systems. Known frailties that may not have been patched and other complex techniques are often utilised in this process. Sometimes passwords are even gained through lapses in procedures or individual carelessness.
  4. Retaining access – after the simulated attack has opened a gateway into the network, they will attempt to create more pathways into the system and open up applications and password protected data vaults held within.
  5. Removal of evidence – whilst in the system and upon leaving, the penetration test will attempt to hide their presence and then scrub away any data files that could be linked to their technical or personal details.

When the test has been completed, the company conducting the testing should have a clear and well-defined view of their system’s problems.

What are some examples of penetration testing?

Amongst the most prevalent types of penetration testing are the following exercises:

Network testing

An attempt to break into an organisation’s network. These simulated attacks are run remotely and attempt to gain access through emails and file transfer protocols. This is the most in-demand type of test.

Web application testing

Akin to the network test, this activity focuses on attempting to exploit specific vulnerabilities in public facing software. Imagine a company has a login site for customers where they can pay and alter details. How is this being effectively protected?

Wireless testing

This involves probing the company’s Wi-Fi and the devices on the network such as laptops, smartphones and tablets looking for easy access and potential breach points.

Social engineering tests

These can range from phoning into a company with false credentials to sending fake emails with spoofed addresses asking for information requests. All these tests involve pretending to be an authority in order to gain the necessary details to access a system.

Why does penetration testing matter?

Regular penetration testing can greatly influence an organisation’s resilience to unauthorised access attempts. Some of the individual facets this process helps fortify includes:

Active practical experience for support staff

Many companies choose to treat penetration almost like a fire drill, co-ordinating team responses and timing different reactions. Such practices help build an air of togetherness and reliance between those responsible for data and systems.

Compliance with GDPR

With the increase in fines at the Information Commissioner Office’s (ICO) disposal, ensuring the sanctity of company data has never been more important. Failure to properly protect information, especially that of private individuals, is seriously frowned on up by this authority. Penetration testing offers serious insurance against these financial penalties.

Targeted budgeting

Every department in a business has to justify its spending. Penetration testing allows the authorities in information systems to build a valid business case for improving the robustness of vulnerabilities. Detailed planning based on real world data is likely to create a compelling argument for change.

Qualified second opinion

There’s a reason why companies that are implementing ISO certification use external auditors. Because it’s incredibly difficult to get a real perspective on your own work. Often stakeholders within an IT or document managing department can miss obvious procedural errors. Penetration testing, when performed by a third party, gives an invaluable insight into the real state of a company’s security.

Penetration testing and data security

Unfortunately when a company does not address a system’s vulnerabilities, hackers can find access points that can lead to data breaches, such as the famous 2013 Yahoo breach where over 3 billion user accounts were compromised.

The consequences of such a breach can be serious, which is why so many businesses engage in penetration testing. Such testing should also be complemented with an information security management system, which can help you protect your customers’ confidential data and make sure your systems are secure.

You can find out more about information security systems and how they can help your business with our free online course.

profile image of Elizabeth Sheldon
Written by Elizabeth Sheldon

ISMS Scheme Manager - Experienced Senior Lead Auditor with a demonstrated history of working in the information services industry. Skilled in ISO 27001 ISO 9001, ISO14001 and ISO 45001.