Every year, high profile cybersecurity breaches dominate the headlines. But, it’s not just big brands that are at risk, smaller companies are becoming increasingly vulnerable to cybersecurity threats.
A 2019 Government survey shows that 32% of UK businesses reported a cybersecurity breach or attack. A security breach can have a widespread effect – negatively impacting brand reputation and severely undermining consumer trust. Whatever your industry, cybersecurity and proactively testing your network and assets should be a priority.
We answer some of the most frequently asked penetration testing questions.
What is penetration testing?
A penetration test, or pen test, is a form of ethical cybersecurity assessments designed to simulate real-world attacks to uncover security gaps or vulnerabilities that could be exploited.
Pen testing can be performed manually or the process can be automated through software applications but the goal of a penetration test is to identify and ethically exploit any weaknesses in the security of a business’s computer systems, networks or applications to help mitigate the risk of potential cybersecurity breaches.
What are the benefits?
Regular pen testing is a crucial component of cybersecurity, offering businesses visibility of real-world security vulnerabilities. Testing can help business to:
- Identify vulnerabilities before cybercriminals
- Comply with industry standards and regulations
- Mature infrastructure and demonstrate commitment to security
- Avoid data breaches – breaches can have a lasting impact on consumer trust, and this can be costly to businesses. Attracting new customers costs more than retaining them. Similarly, returning customers spend more than new ones.
What are the different types of penetration testing?
There are many different types of pen testing; each focusing on a particular aspect of a business’s IT infrastructure. Below are just a few examples:
Network penetration testing
Network pen testing aims to identify exploitable networks, systems hosts or devices (such as routers or switches) to find potential vulnerabilities and can be performed from two perspectives; external or internal. An external network (or infrastructure) penetration test is designed to identify any weaknesses in a company’s assets that are visible on the internet, where an internal penetration test simulates an ‘attack’ from inside the company’s network.
Web application penetration testing
Where there is some cross over between network and web application pen testing; web application pen testing – or web application security testing – aims to assess the architecture and design of applications (such as websites) delivered over the internet.
Mobile app penetration testing
Mobile app pen testing – or mobile app security testing – is the security assessment of applications that run on mobile device platforms and operating systems.
What are the test methods?
There are two significant methods of testing; black box testing and white box testing. Black box testing is a functional or non-functional approach where a third-party tester is not given any information about the asset – such as the underlying code or structure – simulating real-world conditions.
Where black box testing focuses on functionality, white box testing focuses on the code and structure. The internal structure, design, and implementation would be available to the tester and would be used to pinpoint known vulnerabilities.
How often to perform a penetration test?
Performing a penetration test is not a one-time task. Networks and applications are dynamic and security threats are ever-evolving however, the frequency of performing penetration tests depends on multiple factors including, the size of the business, budgets, and infrastructure. In brief, companies are recommended to conduct a penetration test at least once a year, as well as after any major updates to the network infrastructure, systems or software.