Getting your organisation’s cyber security to an acceptable level is difficult, especially if you’re not particularly familiar with the subject. One common term that often crops up in discussion is ‘penetration testing’. But what is it?
A penetration test – or pen test – is a controlled attack on a computer system, designed to find security weaknesses that can be exploited to gain access to it, its functionality and its data. Pen tests combine a range of methods and tools, and must be conducted by certified testers.
As a broad definition, this is easily understandable, but many people are overwhelmed when they try to research further, and ultimately end up saying, “Forget about it”.
Because of this, I thought it would be beneficial if I provided a concise explanation of what a penetration test is and how you get one, without going into too much technical detail.
Do I need a penetration test?
Yes. Depending on your business operations, you may even be legally obliged to carry out penetration tests (see our information pages on the PCI DSS, ISO 27001 and Cyber Essentials for further details). But even if you have no legal or contractual obligation, that shouldn’t stop you from carrying out a penetration test.
If your organisation has any Internet-facing resources, such as a website, then a penetration test will help you find the weaknesses that a hacker could – and most likely will – use to break into your system. If you’re thinking “the hackers won’t target me”, you’re wrong: click here to take a look at the list of people that have been hacked today.
Geraint Williams, head of technical services at IT Governance, recently said: “Without knowing the state of your security, how can you develop and improve? Knowledge of your attack surface area can help you develop and implement a security programme.”
How much should I spend?
The price range for penetration testing services is vast. One organisation might charge you £100 and one might charge £10,000. But, like so many other things in life, cheap does not mean best. It’s therefore important that you research an organisation’s credentials.
The Council of Registered Ethical Security Testers (CREST), for example, verifies organisations as meeting the rigorous standards it mandates. A list of approved pen testers is published on the CREST website. http://www.crest-approved.org/
The cost of a penetration test will usually increase when the scope of the penetration test increases, so it’s important that you know what needs to be tested before you compare prices. For example, a test on 20 IP addresses will be more expensive than a test on ten.
How do I know who to trust?
It’s no surprise that this question is so frequently asked. If you’re going to give someone permission to break into your organisation’s network or applications, you need to make sure you can trust them. As mentioned above, CREST-approved vendors can be trusted. I strongly suggest that, when searching for a penetration testing supplier, you use their list of approved vendors.
What type of penetration test do I need?
The answer to this depends on what Internet-facing resources you have and what assets you want to protect. If you are considering a penetration test, you should first conduct a risk assessment and threat analysis. You’ll then have the information you need to determine what needs to be tested and protected.
Does IT Governance offer CREST–accredited penetration services at low prices?
I’m glad you asked. Yes, we do. IT Governance is a CREST member company. Our testers have qualifications such as:
- CREST Registered Tester
- EC-Council CEH (Certified Ethical Hacker)
- CSTA (Certified Security Testing Association)
- CSTP (Certified Security Testing Professional)
IT Governance offers several packaged solutions for penetration testing, but we also offer a bespoke solution. To find out more, give us a call on 0845 070 1750 for a friendly chat about your penetration testing needs.
Our penetration testing packages