Do you take Penetration Testing seriously?

Penetration testing is an important part of maintaining secure networks and systems - it provides a simulated and controlled way to test the strength of your security. When all your services and infrastructure are exposed to the world, how can you make sure you're safe?

Video: Do you take Penetration Testing seriously? | Rob Thomlinson & Oliver Judson | Rules (8 min)

What is Penetration Testing?

Penetration Testing is a simulated cyberattack performed by security professionals to evaluate the security of the services, systems, and networks of an individual or company. It helps companies identify vulnerabilities in their security systems, access the potential impact and damages, and steps to fix these vulnerabilities.

Why do we need Penetration Testing?

It is important for several reasons:

• By mimicking real attackers, penetration testers can identify vulnerabilities and, most importantly, provide solutions to fix these vulnerabilities before they can be exploited by bad actors.
• Using an external tester eliminates implicit biases and assumptions, avoids conflict of interest, and uncovers security flaws that may be overlooked internally.
• The cost to secure yourself from an attack is far cheaper than the consequences of an attack.
• Evaluates the quality of existing policies, tools and procedures.
• Evaluates incident response measures by measuring how well the security team detects, responds to, and mitigates attacks.
• As attack techniques evolve, penetration tests help companies adapt and defend against emerging threats and vulnerabilities.

How can you improve your security?

Great company security starts with great user security. Here are some of the most valuable ways you can help defend against an attacker:

1. Multi Factor Authentication – more than one authentication method means more layers of security
2. Use password managers to generate unique passwords for every service (and auto-fill them)
3. Lock your laptop when you leave your desk. For Windows users, check out DynamicLock
4. Avoid malware by not clicking on suspicious links and making sure the person is who they say they are
5. Report potential breaches to SysAdmins, whether it's your personal account or a company account

Different types of penetration tests

There are 5 common penetration tests most businesses will engage a 3rd party for:

1. Internal penetration testing - A consultant will simulate an attacker who has managed to access your internal network to evaluate security and configuration issues in your network, systems and endpoints
2. External penetration testing - A consultant would simulate an attacker trying to access any device or service that a business uses which would provide them with access to an organisations resources
3. Wi-Fi penetration testing - A consultant evaluates the security and configuration of your offices wireless networks
4. Application penetration testing - A consultant looks for vulnerabilities and flaws in the design of an application, this can be done by identifying issues with API's, authentication, data exposure or
5. Physical penetration testing - A consultant tests the physical security of an office to see how easy it is to gain access to restricted areas

What are the recommended tools to use?

We have a few rules that cover the best cybersecurity tools for developers and SysAdmins:

• For Developers: Do you use the right cybersecurity tools when writing code?
• For SysAdmins: Do you use the right cybersecurity tools as a Sysadmin?