What is penetration testing? TechTarget defines it as “a tool for testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit.” Also called “pen testing,” the goal is to spot those vulnerabilities before a hacker does.
Health Data Management’s recent slideshow offers the following tips to help folks better understand and implement a penetration testing program:
Protect the Home
Think of your network systems, application software, or whatever else you want to make hacker-proof, as your house. Conducting a pen test is akin to hiring a security expert to see if he can break into your house, and then tell you how he did it. This allows you to identify and repair your own security weaknesses before someone malicious has the chance to exploit them.
Often confused with port scanning, penetration testing actually goes further and attempts to use those weaknesses to gain entrance to your systems. In other words, penetration testing is hacking with permission, or “ethical hacking,” with the obvious goal being for you to hack yourself before someone else hacks you.
Here are the top five reasons to get a penetration test:
- Make your network as secure and hacker-proof as possible;
- Comply with regulations (this could apply to your company or one of your clients operating in a regulated field);
- Establish a baseline;
- Test existing security systems; or
- You’ve already been hacked.
Hopefully, you don’t wait until reason number five forces your hand.
Essentially, anything that holds, transmits, or transfers data can be penetration tested. Some examples include: Websites, mobile apps, wireless systems, phone equipment, games, servers, routers, firewalls and security systems.
A penetration testing vendor should combine penetration testing with vulnerability assessment to identify and validate threats or weaknesses that could compromise your IT security. IT security experts should use best-in-class scanning tools to perform vulnerability assessments that identify the highest potential risk to your environment, and conduct penetration testing (ethical hacking) to manually simulate real-world network attacks, mimicking the tactics employed by malicious outsiders.
Proper penetration testing should be conducted from both outside and inside the network, as well as wirelessly, with special consideration given to specific areas most often exploited by hackers, including bugs in software, password weaknesses, and errors in design and configuration.
For more information on pen testing, see the full Health Data Management slideshow.
IT SECURITY SUPPORT: Blue Mountain Data Systems provides IT Security Support Services for Federal Civilian Agencies. Looking to find Vulnerability Scanning and Testing, Penetration Testing, Risk Assessment & FISMA Reporting for your Federal Agency? Call Paul Vesely at 703-502-3416.