Protecting computer networks is not a ‘set it and forget it’ business. To have the best chance of remaining unscathed, a network’s defences must be continually monitored and tested. The second part of that equation is where penetration testing (commonly referred to as pen testing) comes in.
Newly released guidance from the NCSC (National Cyber Security Centre) will help those who need it determine how to go about commissioning a penetration test, and ensure the most is made of this essential but expensive resource. This can then help you to decide when you are likely to get the most benefit from penetration testing.
What is a pen test?
What you want to know is: How easy would it be for an attacker to get unauthorised access to your computer network? In essence, how safe are you from malicious attempts to break in and steal, deface or destroy something valuable to your business? Are the various security controls you have in place working together, providing the level of security you expected? And, ultimately, should you be looking to boost your security?
We’re not talking about the average home or business network here. Even if you have been gradually accumulating PCs for the last couple of decades you’re unlikely to need a penetration test.
The kind of networks that need testing are often large scale, complex, corporate systems. Possibly with thousands of machines, but definitely containing assets which MUST be protected: Credit card details, personal data, secrets. The kind of things bad people want to steal, but also the kind of things for which you could be held to ransom.
Small businesses aren’t immune, however, and there are increasing reports of attacks on them. Pen tests, while they can be expensive, can provide some peace of mind that your systems are being protected as well as they can be.
The testers and the test
The knowledge, skills and even the tools deployed by pen testers have much in common with the ‘very particular skillset’ of the hacker. This is no accident. The pen test tries to emulate a real-world assault on your cyber defences. As a result, there is some risk of disruption, but using a good pen tester will minimise the risk.
Your choice of testers is critical. What makes a penetration test so valuable is that it deploys highly skilled human minds against your defences. The quality of these minds is what you’re paying for, so it’s important to make sure the team doing the testing has recognised technical abilities, and ethical principles.
The simplest difference between a pen test and an actual attack is that a pen tester will record any vulnerabilities uncovered, document them to be dealt with, and assist the customer in finding such issues themselves. This should all be made clear to you in a way which is genuinely useful.
Ideally, you should know your own systems well enough that a penetration test only confirms your understanding. Pen tests are a fairly expensive process, and in most cases an infrequent one. So if you don’t have a “business as usual”, security testing regime in place, a pen test will be of limited value.
Guidance
If you are considering a penetration test, take a look at the NCSC’s detailed guidance before you engage a team of professionals.
Along with a breakdown of the different types of pen test, they’ve also outlined how a model process would work, how to hire and brief a team, and how to make the most of their findings.
If you follow the advice laid out, you’ll be sure to get the maximum benefit from this highly specialised form of security evaluation.
Thanks to NCSC for this info on what is penetration testing - a great source of cybersecurity advice from the Government at ncsc.gov.uk. Crown Copyright, content reproduced under license
