Many businesses are receiving penetration tests today, and you might wonder why. What kind of benefits will a penetration test provide your business? Is it worth it? As a managed service provider, we often recommend that clients receive penetration tests in addition to managed IT support.
This is because penetration tests offer a different value than the services provided by an MSP. Even if you don’t have an MSP supporting your business, but instead in-house IT support, having a penetration test done to your business is very advantageous. To learn more about what a penetration test is and whether or not it is worth having one done on your business, check out the rest of this article.
A penetration test identifies vulnerabilities and weaknesses within the tested area and attempts to exploit security controls, authentication mechanisms, and configuration permissions to attack the environment. The goal is to identify vulnerabilities before a malicious actor can exploit them. An Ethical Hacker performs the penetration test.
The Ethical Hacker’s job is to test every possible way to get into your company's network, using approaches a real hacker might use. During the penetration test, the Ethical Hacker attempts to:
Every day, new vulnerabilities are discovered in hardware, software, code, and cloud environments. These vulnerabilities are published to a repository, and each year the list grows. In 2020 the list exceeded 18,000 new published vulnerabilities.
A vulnerability assessment is an automated process to identify if the testing environment includes any vulnerabilities published to the publicly available list of well-known vulnerabilities.
A penetration test is a manual process identifying how an attacker could move laterally through an environment to escalate permissions, access sensitive information, or compromise the environment.
See the chart below to learn more about the difference between vulnerability scanning and penetration testing.
|
Vulnerability Assessment |
Penetration Test |
Goal |
Identify well-known vulnerabilities |
Exploits vulnerabilities to gain access to the system and emulate a hacker-in-the-wild. |
Outcome |
List of Vulnerabilities by Asset and recommendations to remediate |
Narrative description of attack scenario, prioritized list of vulnerabilities, detailed remediation instructions |
Scope |
Automated |
Manual testing – with high skill level |
Performed by |
Tool based primarily |
Experienced Penetration Tester (aka Ethical Hacker) |
Value |
Cost-effective method of identifying well—known weaknesses |
Provides an in-depth understanding of security posture |
Frequency |
Quarterly |
Annually |
Cost |
Less |
More |
Report |
Baseline of vulnerabilities |
Identified vulnerabilities and instructions to reduce cyber-risks |
Most businesses hire a third-party penetration tester (aka Ethical Hacker) annually. Penetration tests can also be necessary when significant changes are made to your business’s staff or infrastructure. The test can last anywhere from 1 week to 1 month. The average is 2 weeks.
Some organizations are regulated and required to perform penetration tests annually. The most common industries that are required to perform penetration tests are financial institutions and healthcare companies.
For businesses that do not require penetration tests, you should still consider a penetration test. Waiting for a real-world cyber-attack is a risky and expensive strategy.
It depends on the scope and size of the organization. The penetration testing team identifies the critical assets and works with your business to scope how long it will likely take to test the environment. Most engagements last one to two weeks and are provided as a fixed-price contract. Actual pricing is provided in a written proposal after the scoping meeting.
When you receive a penetration test, your business will better understand any vulnerabilities in your environment. Here are the top 5 security benefits you receive by performing a penetration test on your business:
Additional reasons to perform a penetration test:
Penetration testing is a proactive approach to improving your security year after year and threat after threat. It is a great way to test your current cybersecurity tools and enhance them based on your penetration assessment.
Penetration testing is performed by Ethical Hackers who are specialized information security professionals. These IT professionals are hired to test the environments managed by an MSP. An Ethical Hacker, aka Penetration Tester, emulates a hacker-in-the-wild to identify security weaknesses in networks, cloud, wireless, and web application environments.
In other words, Ethical Hackers use the same tools and techniques as malicious actors to circumvent the security controls that an MSP team implements.
Business leaders require an independent third party to test the resilience of networks and environments maintained by an MSP. This also ensures that the penetration test is unbiased and does not overlook any security vulnerabilities to make the MSP look better.
At Usherwood, we offer risk assessments and vulnerability assessments to clients but not penetration testing. Although we do not offer penetration testing, we do highly recommend that our clients receive them to make their environment even more secure. If you are interested in learning more about how penetration testing differs from vulnerability assessments and risk assessments, check out this article: Penetration Tests vs. Vulnerability Assessments vs.Risk Assessments.
To speak with an experienced cybersecurity professional, click the button below.