When it comes to the security of information within businesses, one area that always seems to be missed is the identification and testing of security weaknesses within infrastructure and web applications.
When people think of security breaches they tend to think of young stereotyped people who are sitting in a dark room with a hoodie on and smashing the keyboard trying to gain access to something, however this is not normally the case.
Security breaches are normally achieved through weaknesses within the business whether this is poor programming in web applications, or weak / non-existent patching and security hardening routines or even insider threats.
Undertaking a penetration test will help identify the weaknesses within the infrastructure of your business and, if applicable your web applications. Once these weaknesses have been identified the business can work to resolve them and increase their resistance to future threats.
What’s involved in a penetration test?
Now that you have identified that a penetration test would be a good idea for your business, what is involved in undertaking one?
- Identifying the scope of the testing: This is an important aspect that is agreed with the testing company before any work is started. Understanding what can and can’t be tested is key.
- Signing paperwork: Paperwork needs to be signed between the testing company and the customer, this will normally involve Non-Disclosure Agreements, Confidentiality Agreements, Terms and Conditions and the actual scoping document / job sheet. These documents cover both parties.
- Agree the date and time and length of the test, the business should decide whether they are going to make employees aware of the test, or take this opportunity to see how well their employees react to any unknown threats.
- The actual penetration test is undertaken by the testing company over several days / weeks.
- The test is completed, and a report is written up and sent to the customer.
- The customer has a follow-up call with the testing company to talk through the report (if required)
After the test
After the penetration test has been completed and the report has been received, its important for the business to fully read and understand the document and to resolve any outstanding actions as soon as possible. The business should pull together the department heads, such as infrastructure, networks, development and understand the issues that have been flagged and how they will resolve them. Sometimes making simple process changes will help resolve issues quickly moving forward.
How often should I have a test?
TeraByte recommend that you should have a penetration test at least annually as a lot of things can change over a year. Depending upon the business of web application having quarterly tests may be beneficial.
TeraByte is a information security company who specialise in performing penetration tests of both internal infrastructure as well as web applications, if you would like to have a quote for a test or would like to know more about how a penetration test would work for your business, please contact us for further information.