Light Dark
August 21, 2018 By Warren Perez Araya
Elias Carbaguiaz
3 min read
Security Services

A penetration test — or pen test, for short — is a simulation of a possible cyberattack against an IT system performed by a professional with no malicious intent. The main purpose of such tests is to find exploitable vulnerabilities before anybody else does so that they can be patched and addressed accordingly.

A pen test should end with the presentation of a formal document explaining and detailing all the findings. This document should contain at least two main sections: an executive summary where the tester or testers explain the process and findings in a high-level manner, and a technical summary where the more in-depth details can be explained.

Pros and Cons of Penetration Testing

Nowadays, companies of all sizes have a network presence, and the internet has made it easy for attackers to engage with companies around the world. A cyberattack can damage a company in many ways, not just economically. An organization’s brand, reputation and even intellectual property could be affected.

Listen to the podcast: Spotlight on Penetration Testing with Space Rogue

A penetration test can help an enterprise build a more robust and reliable security posture. With that said, not all companies should engage in a pen test, since they aren’t always particularly beneficial. Because of this, it’s important to evaluate whether or not a pen test will have value for your company.

Potential benefits of a pen test include:

  • Identifying possible security holes before an attacker can;
  • Identifying possible vulnerabilities in a network or computer program; and
  • Providing information that can help security teams mitigate vulnerabilities and create a control mechanism for attacks.

Some of the potential drawbacks are:

  • Outages to critical services if the pen test is poorly designed or executed, which can end up causing more damage to the company in general; and
  • Difficulty conducting pen tests on legacy systems, which are often vital to businesses.

When Should You Pen Test?

Some companies make the mistake of starting a pen test too early on a network or system deployment. When a system or network is being deployed, changes are constantly occurring, and if a pen test is undertaken too early in that process, it might not be able to catch possible future security holes. In general, a pen test should be done right before a system is put into production, once the system is no longer in a state of constant change.

It is ideal to test any system or software before is put into production. Most companies do not adhere to this recommendation because they are eager to get their return on investment (ROI) quickly. Companies might also fail to follow this best practice because a project has exceeded its deadline or budget. These factors make companies enthusiastic to push their new services live without having conducted the proper security assessments. This is a risk that needs to be evaluated and put in perspective when deploying new systems.

How Often Should You Pen Test?

A pen test is not a one-time task. Networks and computer systems are dynamic — they do not stay the same for very long. As time goes on, new software is deployed and changes are made, and they need to be tested or retested.

How often a company should engage in pen testing depends on several factors, including:

  • Company size. It’s no secret that bigger companies with a greater online presence might also have more urgency to test their systems, since they would have more attack vectors and might be juicier targets for threat actors.
  • Budget. Pen tests can be expensive, so an organization with a smaller budget might be less able to conduct them. A lack of funds might restrict pen testing to once every two years, for example, while a bigger budget might allow for more frequent and thorough testing.
  • Regulations, laws and compliance. Depending on the industry, various laws and regulations might require organizations to perform certain security tasks, including pen testing.
  • Infrastructure: Certain companies might have a 100 percent cloud environment and might not be allowed to test the cloud provider’s infrastructure. The provider may already conduct pen tests internally.

Pen testing should not be taken lightly; it has the potential to provide a critical security service to all companies. For some organizations, it might even be mandatory. But a pen test is not one-size-fits-all. Ultimately, understanding the company’s line of business is fundamental to successful security testing.

Read the interactive white paper: Preempt attacks with programmatic and active testing

 |  |  |  | 
Warren Perez Araya
SIEM Admin, IBM
Elias Carbaguiaz
Security Intelligence Analyst - CIO

More from Security Services
October 12, 2023

How I got started: Attack surface management

4 min read - As the threat landscape multiplies in sophistication and complexity, new roles in cybersecurity are presenting themselves more frequently than ever before. For example, attack surface management. These cybersecurity professionals are responsible for identifying, mapping and securing all external digital assets an organization owns or is connected to. This includes servers, domains, cloud assets and any other digital points that could be exploited by cyber criminals. Their role involves continuously monitoring these assets for vulnerabilities, misconfigurations or other potential security risks…

October 6, 2023

X-Force uncovers global NetScaler Gateway credential harvesting campaign

6 min read - This post was made possible through the contributions of Bastien Lardy, Sebastiano Marinaccio and Ruben Castillo. In September of 2023, X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials. The campaign is another example of increased interest from cyber criminals in credentials. The 2023 X-Force cloud threat report found that 67% of cloud-related…

October 5, 2023

Does your security program suffer from piecemeal detection and response?

4 min read - Piecemeal Detection and Response (PDR) can manifest in various ways. The most common symptoms of PDR include: Multiple security information and event management (SIEM) tools (e.g., one on-premise and one in the cloud) Spending too much time or energy on integrating detection systems An underperforming security orchestration, automation and response (SOAR) system Only capable of taking automated responses on the endpoint Anomaly detection in silos (e.g., network separate from identity) If any of these symptoms resonate with your organization, it's…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature