Why You Don’t Really Need Penetration Testing… at Least, Not YET
By Jeremy Louise | October 23rd, 2019
Coming from a family that has been proudly serving the greater Boston area with innovative, technology-based solutions since 1989, a big part of my life involves staying up-to-date on everything going on in the IT space. When I’m not fielding calls with potential clients or helping existing ones better accomplish their long-term goals, I’m pouring over articles and other resources about the latest tips, tricks, trends and best practices that I feel I might be able to put to good use.
Because of that, cyber security is obviously a big focus of mine and to that end, there’s a recent topic that I’ve seen written about extensively that I’d like to take the time to further discuss: penetration testing.
At its core, penetration testing is the act of testing either a computer system, a network or even a web application in an effort to find the types of vulnerabilities that a hacker might try to one day exploit. You may have heard it referred to as “pen testing” for short or, in certain cases, “ethical hacking.” In essence, it’s a play on a piece of wisdom Sun Tzu wrote many years ago – “to know your enemy, you must become your enemy.”
In theory, this type of “white hat” hacking attack makes perfect sense. By gathering information about the target during the test – and by identifying possible entry points that someone might use to break in – you put yourself in a better position to seal up those gaps and prevent someone from using them against you in the future. But in practice… it’s not something that the vast majority of all small business owners out there will actually need to spend time worrying about… At least, not yet.
The Types of Penetration Testing
Generally speaking, there are two main types of penetration testing that most people would take advantage of: external and internal.
External testing, as the name implies, is the process of assessing the outward-facing assets for an organization. This is when an assessor would try to gain access into your internal network, for example, by leveraging certain vulnerabilities that can be exploited. They may also try to gain access to sensitive data by way of things like email, your website and even file sharing services that you’re using.
Internal penetration, on the other hand, tries to figure out how far an attacker can move THROUGH your network once that internal breach has occurred. So if external testing is all about figuring out how someone might get into the network in the first place, internal testing is about assessing the damage that can happen once that has already occurred.
In a larger sense, penetration testing of all types are all about identifying vulnerabilities that you definitely aren’t already aware of – if you were, you would have taken steps to patch them ages ago. But for many businesses, it’s also a critical verification of your current security systems. Are all of your security solutions coming together to address potential gaps in coverage? Penetration testing will tell you.
This is also a great way to validate your larger security strategy. Are you being routinely patched and updated? Do you use updated, proactive antivirus solutions? Do you have adequate policies in place to mitigate or all together address the myriad of threats that could occur? If the answers to all of those questions were “yes,” it may be the time to put verify you assumptions with a pen test. If you THINK you know the answers to those questions, your penetration testing results will probably come as quite the shock and likely need a security assessment beforehand.
Overall, penetration testing is a great way to A) make sure that your current strategy actually addresses the types of threats you face, and B) makes sure that your security policies are as effective as you originally thought they were.
Why Do You Need Penetration Testing?
Organizations often need penetration testing for a number of different reasons. Sometimes it’s a compliance requirement – and to that end, there’s really no getting around it. Certain levels of PCI require it, for example, as do the upcoming NIST 800-171(b) requirements which will be released some time next year. Other times it’s a vendor-driven requirement, which is equally valid.
But more often than not, bad IT marketing makes you think you NEED it… when you really don’t. Of course, you always want to make sure that you and your people are safe – that is always a valid concern. But sometimes penetration testing won’t actually give you the level of insight you think it will, meaning that you’ll end up paying a significant amount of money for something that isn’t nearly as helpful as you need.
Why You Don’t Really Need Penetration Testing… Yet
Having said all of that, in my humble opinion penetration testing isn’t really necessary in a wide variety of different situations that are probably applicable to your business.
If you already know you have existing security vulnerabilities, for example, why go through the trouble of penetration testing? You’re going to pay a significant amount of money simply to confirm what you already know. If you KNOW you have vulnerabilities or security-related solutions gap, penetration testing is largely useless. You’re already aware of what you don’t have.
Instead, work with your MSP to see where you can improve your security posture. Are you using things like vulnerability management scanning, proactive antivirus/anti-malware and similar solutions? Most importantly, are you providing end user security awareness training? If you’re not, all of these things are far more worth of your time (not to mention your money) over penetration testing.
Likewise, if you don’t actually know where to start in terms of fortifying your security posture, penetration testing is NOT the way to go. Never use a pen tester to assess where you need to address gaps as a starting point or baseline. It’s extremely expensive and you should conduct a thorough security assessment FIRST.
So When SHOULD You Conduct a Pen Test?
None of this is to say that penetration testing is something you should totally write off, because it isn’t. Once you’ve addressed all KNOWN security gaps, penetration testing begins to show its value. A pen tester will then be in a position to look BEYOND the standard security tools to find exploits or security gaps that you can then address for the maximum amount of protection.
Overall, penetration testing is something that you should typically perform on an annual basis. Once you know what to address and have taken care of all the issues that are “low hanging fruit,” so to speak, you can then get deep in the weeds of penetration testing to make sure that you’re covered from all angles.
But anyone who tells you that penetration testing is the be all, end all solution to your security needs is probably trying to sell you something or doesn’t know what they’re likely talking about; Don’t ever forget that and you’ll go far.
TSI Support International: Your IT Security Expert
If you’re not sure where to begin in terms of strengthening your security posture or you’re still not quite sure whether or not penetration testing is right for you, that’s totally okay – we might be able to help.
It's Your Move!
At this point, I'd recommend contacting either myself or a colleague at TSI Support International for your free "getting to know you" phone call. It'll help us confirm that our approaches to cyber security are compatible with one another, which will then put us in an excellent position to make sure we can help protect you AND your business moving forward.