Why have a penetration test?

audyt-1

Overview

One of our main services that TeraByte offers is a penetration test, or pen-test.  A pen-test evaluates the security of a business by using the same tools and techniques that malicious attackers would.  By scanning the network and associated web applications, a security consultant can check the Operating System, network, services and other devices which have been found and then look for vulnerabilities which may then lead to compromise.

A pen-test can be useful for a business as it helps them validate how efficient their security policies are and will also identify any weak areas, such as weak passwords, and/or the use of default credentials on systems.

There are several ways that a pen-test can be performed, however typically its either through automated, manual or hybrid (the use of automation tools with manual verification and exploitation).  At the start of the process a security consultant will enumerate the environment through scanning and passively listening to events on the network to see what information can be obtained, as this can help in later stages.

After the scanning has been completed, many vulnerabilities may have been found within the network and/or web application, this will aid the security consultant in attempting to compromise the environment and obtain higher credentials, which may aid to obtaining confidential information. At the end of the test, the business will be provided with a report detailing the risk to the business and any vulnerabilities that have been found.

Benefits of having a pen-test

Performing regular penetration tests offer many benefits to the business, some of these being:

  • Identifying the information security stance of the business
  • Often uncovering systems or applications which are no longer needed
  • Verifying information security policies
  • Helping with insurance cover
  • Minimising compromise from vulnerabilities
  • Avoiding costly network downtime
  • Proving to customers that your business takes security seriously

Having a pen-test ensures that your business is properly covering itself and ensures that you are patching systems and services with the latest patches, which will help reduce the vulnerability footprint for attacks.

You may ask yourself, what’s the point in having a test, if I have all this expensive hardware already on my network? Quite simply, to ensure you are fully protected, are you certain that you have installed the latest updates to all your hardware? Have you changed the default credentials? Configured the rules from the default set?  These are all valid reasons why you should have a pen-test, to verify that you are doing everything you can to safeguard your information.

It will never happen to me.

You may be reading this post and thinking to yourself, I’ve never had a penetration test before, do I need one now? It will never happen to me.  All you need to do is look at the news and see how many breaches are making the news.  The latest one is the Equifax security breach, which was through a server which hadn’t been patched against the latest vulnerabilities.

Be safe, ensure that you obtain third party confirmation from a penetration company, like TeraByte, it could save you a lot of money in the long run.

How much does a test cost?

Unfortunately, with penetration tests, there is not a clear-cut answer to this, it can depend upon several questions, such as:

  • How many IPs are going to be tested
  • How many web applications
  • How many networks

When you speak to the company who will be performing the test, they will go through a scoping call, to ask you these questions and more to establish what will need testing and work out a quote for your business.

Be prepared however, expect the test to be expensive, most of the time, tests will range from 3-5 days or more and the price tag will be associated with this.

Where to go from here?

So, you’ve read this blog, you’re interested in obtaining your first penetration test, what do you need to do?

Contact TeraByte at: https://terabyteit.co.uk or 01325 628587 and ask about their services, a security consultant will talk you through the process and perform the scoping call and more importantly give you the price.

For more information, you can visit our cyber security services pages at: https://terabyteit.co.uk/services/cyber-protection/cyber-security/