Benefits of penetration testing
Wednesday, February 23rd, 2011
One of the questions that we get from time to time is “Why should I conduct a penetration test?” Undoubtedly every business works in a different way and the value of conducting a penetration test varies in each case. Some businesses might manage IT security in a different way than others and therefore a penetration test might be relevant in different ways. However, it is possible to find some common ground which will almost certainly apply to every organization.
The following list shows the main benefits of penetration testing:
For many organizations the foremost benefit of commissioning a penetration test is that it will give you a baseline to work upon in order to mitigate the risk in an structured and optimal way.
A penetration test will show you the vulnerabilities in the target system and the risks associated to it. An educated valuation of the risk will be performed so that the vulnerabilities can be reported as High/Medium/Low risk issues.
The categorization of the risk will allow you to tackle the highest risks first, maximising your resources and minimizing the risk efficiently.
Business continuity is usually the number one security concern for many organizations. A breach in the business continuity can happen due to a number of reasons. Lack of security is one of them.
Insecure systems are more likely to suffer a breach in their availability than secured and hardened ones. Vulnerabilities can very often be exploited to produce a denial of service condition which usually crashes the vulnerable service and breaches the server availability.
Penetration testing against mission critical systems needs to be coordinated, carefully planed and mindful in the execution.
Penetration testing is an effective way of ensuring that successful highly targeted client-side attacks against key members of your staff are minimized.
Security should be treated with a holistic approach. Companies only assessing the security of their servers run the risk of being targeted with client-side attacks exploiting vulnerabilities in software like web browsers, pdf readers, etc. It is important to ensure that the patch management processes are working properly updating the Operating System and third party applications.
A security breach could affect not only the target organization, but also their clients, partners and third parties working with it. Taking the necessary actions towards security will enhance professional relationships building up trust and confidence.
The compliance section in the ISO27001 standard requires managers and system owners to perform regular security reviews and penetration tests, unertaken by competent testers.
PCI DSS also addresses penetration testing to relevant systems performed by qualified penetration testers.
A snapshot of the current security posture and an opportunity to identify potential breach points.
The penetration test will provide you with an independent view of the effectiveness of your existing security processes in place, ensuring that patching and configuration management practices have been followed correctly.
This is an ideal opportunity to review the efficiency of the current security investment. What is working, what is not working and what needs to be improved.
A good PR and brand position built up during years and with considerable investment can be suddenly change due to a security breach. Public perception of an organization is very sensitive to security issues and can have devastating consequences which may take years to repair.
As this post explains, there are very valid reasons to perform a penetration test in your infrastructure. Contact us if you need some more details on how we can help you.