Penetration testing is growing in popularity due to the increased interest in data privacy. Small businesses are the perfect target for these attacks because they’re more likely to have a door open on their network that could give an attacker entry into customer data. Read more to learn about penetration testing and how it can give you an added layer of protection if used as a tool for cybersecurity.
Q: What is penetration testing?
A: Penetration testing has become a popular trend in recent years due to the rising amount of cyber attacks and data breaches. In order to understand possible weaknesses in systems or networks, one needs to think from the perspective of an attacker. Companies can hire cybersecurity specialists that can think in the mind of a hacker and try to break into a system. Rather than causing any damage or shutdown of service, they stop right at that moment and notate the vulnerability, along with how it is fixed. Companies don’t quite understand how many weaknesses they have when they are thinking of all the ways they normally use their system. Thinking like an attacker, their approach is outside the box and they’re able to find weaknesses with logins, open systems, and other major exploits when they start running through different attack types. Once the penetration test is finished, a report would be given to easily explain the weaknesses in a system and how they need to be corrected. A penetration test should not be a one-time thing, because cyberattacks are becoming more and more advanced each day. Thousands of new exploits are being discovered each week, and not every single one is patched. Consider annual assessments to check for new faults or previous faults that went undiscovered by the first approach.
Q: What types of penetration testing are there?
A: There are numerous approaches to penetration testing and how it is completed. The terminology stems from the white hat (good guys) and black hats (bad guys) when it comes to these attacks. Black box penetration testing is when you approach as if you were a real hacker. The tester would be given no information except the company name, and they would have to see how much information they can figure out that is available on the web, or through social engineering. Once they’ve done their reconnaissance, they would then go about trying to break into any networks or systems stealthily as to not set off any IDS (intrusion detection systems). This approach is very useful because it will give you a good idea of what a real attacker would be able to do when they know minimal information regarding the company they’re attacking. The next attack method is called white-box penetration testing. Like white hats, they are given permission for everything, including what systems they can test. The white box method gives the penetration tester all the basic information they would need like internal IP addresses and how the network is laid out. They would also be limited in what weapons they could use because of fear of system outages or services being down. On top of this, the white box method does not need to be stealthy because all parties are aware of the testing, these scans can be much more intense without worry that an IDS system will kick them off the network.
Q: What type of penetration testing should I decide on?
A: If you’re a small business black box penetration testing would significantly be more valuable with its results. Seeing what an attacker could do without any information can give you the best insight into what weaknesses exist in your systems. If you are running a business with lots of services like a webpage for customers or you are hosting sensitive data, a white box approach might be more appropriate. Even with NDA’s in place, most management won’t be too willing to let a penetration tester use their full arsenal. Especially if a simulated attack could takedown service for a little bit of time. White box penetration testing would allow you to restrict the testing to certain things like an application, a web page, or even just a single wireless network.
Q: How can my business benefit from penetration testing?
A: Penetration testing can save you from being the next big data breach. By being ahead of the attackers in spotting a weakness, you would be able to fix a possible hole in the hull of your business. This doesn’t mean the penetration tester will find every single weakness, but it would drastically make an attacker’s job harder to find a weakness if most of them are already fixed. If you want to assure your customers’ data is seriously protected, its highly recommended you get penetration testing done. Or, even at the minimum, a cybersecurity assessment. No one thinks they need penetration testing, until its too late. If the data breach is significant enough, lawsuits alone could cause your business to go under. Not to mention your company will be avoided by customers for your lack of care for their data. Don’t become the next Equifax, be preemptive with your cybersecurity and educate your business on the benefits.
This is the 7th part of an 8-part series. To learn more about cybersecurity and safe practices, check out the links below:
Phishing
Safe Internet Browsing
Social Engineering
Safe Passwords and Security
IoT + BYOD
Rogue Access Points
Penetration Testing
What to Do After a Data Breach
Next week, we will be discussing what you can do in the event that your company falls victim to a data breach. Remember to submit your questions to info@hvtdc.org.