4 Requirements for a Beneficial Penetration Testing

These days, penetration testing is no longer a luxury for a Fortune 500 company. The evaluation of security by deliberately letting ethical hackers penetrate a network is expensive if the company only see the short-term gains. But if the company prevents a cyber attack or at the very least minimize the damages and records breach, then the cost of pen test is well worth it, not just for a big company but for SMEs (Small and Medium Enterprises). Firms need to determine what specific cybersecurity product or service to sign-up for and it can only be done if the company knows its own network and computer weaknesses.

Investment for cyberdefense is more important today, with the EU GDPR in full swing of implementation. Of course, budgeting for it needs to be determined in order not to overspend. This article will give a few tips on how to evaluate a worthwhile pen testing:

• Use a reputable penetration test team.

Who is the right ethical hacking team to perform the penetration testing? This is the first question to ask, as it is clear that no firm is invincible and immune from a cybersecurity attack. This day and age, the good ethical hackers that perform corporate pen testing are self-taught, no university teaches high-quality penetration testing. For decades, self-taught ethical hackers have build-up their knowledge and experiences which no school or certification exams can match. The organization can coordinate with their local association in their industry on what ethical hacking team to hire, based on their experience.

• Create a plan about the coverage of the pen test.

Define the IP range and subnet masks that will be included in the testing.

1. Will the pen test only cover private IP addresses, or it will include testing of public IP and public domain name (that the company owns)?

2. What specific application programs that will be included in the test? Are they custom-made apps for internal use by the organization or commercially purchased software from a 3rd party vendor?

3. Are the employees of the organizations using the software and IP range will be subjected to a pen test as well, using social engineering? If yes, will there be exemptions to the test? (A test social engineering attempt is done without a prior notice to the employees themselves, to simulate a real phishing/social engineering attack).

• Transparency of penetration testing

The penetration testing can be done in two ways:

1. The open-ended pen test where the ethical hackers will be given a lower privileged access to the systems that they will attack. This is very useful to determine the possibility of a privilege escalation vulnerability. Privilege escalation is a weakness in the system where a lower privileged user or app, by using clever tricks can gain power user or administrative access to the system.

2. Close-ended test where the ethical hackers are hired to simulate an external attack. The ethical hackers will operate as outsiders that will try to penetrate the covered areas for the pen test, and check if they be successful in infiltrating the target without prior access to the system themselves. This type of testing is very important to determine the readiness of a network and computer systems to unknown threats like future virus infection, security breach and information theft.

• Regularly Scheduled pen testing

A penetration test like tuning-up a car should be a regularly scheduled event. It cannot be a one-time episode, as cyber threats continue to evolve and improve. Proper scheduling needs to be carefully planned so as not to create unwanted downtime, especially for critical systems that run 24/7. Cybersecurity attacks can be minimized in the organization if it practices the principle of the least privilege. Only those roles in the organization that needs access to a system for their job should be given access. A dormant yet valid login credential to a system is dangerous to have, as it widens the attack surface. The goal of all organizations is to continue using their established network and computers with the least risk as much as possible, and it can only be achieved by lessening the attack surface as much as possible.