Why is Pen Testing necessary for your business?

30

With cyber attacks becoming the norm, it is more important than ever before to undertake regular vulnerability scans and penetration testing to identify vulnerabilities and ensure on a regular basis that the cyber controls are working.

Penetration testing looks at vulnerabilities and will try and exploit them.

Organisations need to conduct regular testing of their systems for the following key reasons:

  • To determine the weakness in the infrastructure (hardware), application (software) and people.
  • To ensure security systems have been implemented and are effective.
  • To test third party applications that are often the avenues of attack.
  • To discover new vulnerabilities in existing software – patches and updates can fix existing vulnerabilities, but they can also introduce new vulnerabilities.

The worst situation is to have an exploitable vulnerability within infrastructure, application or people that you are not aware of as the attackers can be working within your system without you’re knowledge. Breaches, unless publicised by the attackers, can go undetected for months.

Vulnerability scanning and penetration testing can also test an organisations ability to detect intrusions and breaches. Organisations need to scan the external available infrastructure and applications to protect against external threats. They also need to scan internally to protect against insider threat and compromised individuals.

How often should you conduct pen testing?

Pen testing should be conducted regularly, to detect recently discovered, previously unknown vulnerabilities. The minimum frequency depends on the type of testing being conducted and the target of the test. Testing should be at least annually, maybe monthly for internal vulnerability scanning of workstations and compliance standards such as the PCI DSS.

Pen testing should be undertaken after deployment of new infrastructure and applications as well as after major changes to infrastructure and applications (e.g. changes to firewall rules, updating of firmware, patches and upgrades to software).