IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

What is penetration testing?

Sure, you’ve got your firewall – but is your business really safe from cyber attacks?

A penetration test or "pen test" in security jargon is a simulated attack on your systems, commissioned by you in order to find out how good your infosecurity posture really is. Beyond that, there's no strict definition of what's involved so if you think this sort of exercise could benefit your business, it's important to start by defining your goals, and what actions you hope to take once you have the results.

For example, are you worried about keeping hackers out or are you more concerned about vulnerabilities that could be exploited in order to access your data? How deep do you want to go, and how much time and money are you prepared to invest in mitigating any risk uncovered? There are a lot of questions to address.

I wasn't expecting the Spanish Inquisition!

Nobody expects the Spanish Inquisition, but to get the best from a penetration test you need to set strict and specific parameters. If you were hoping to ask the testers to simply "see what they can find", you may well discover that what comes back overlooks issues that are critical to your business. It's important to put structure and goals in place for testing and avoid a haphazard approach. By defining what you want to get out of the test early on, you'll be able to judge its success in the results.

Who are these testers? Is it safe to deal with hackers?

These aren't hackers they're highly trained security professionals. If you must use the word, "ethical hacker" or "white hat hacker" might fit, but "security consultant" is better. These professionals mimic tactics used by cyber criminals to test the strength of a business’s security infrastructure. This helps to identify weaknesses in your security that can be addressed before you fall victim to a real cyber attack.

When dealing with your organisation's security, it's always worth raising the question of trust. With pen testing there are two recommended courses of action: you could use a service with a good pedigree of recommendations from previous customers, or you could select an agency that only uses testers who are accredited by an industry certification body called CREST. This ensures that they have passed rigorous certification exams and signed up to enforceable codes of conduct.

What actually happens in a penetration test?

As we've noted, it depends on exactly what you have commissioned. Typically, though, pen testers perform both external tests, which target the servers and hardware that any hacker would be able to see, and internal tests, which simulate what would happen if those hackers made it past the perimeter and got inside your network or if an employee wanted to cause trouble. Both approaches can be revealing and combined they can provide a good indication of your real-world security position.

Won't this disrupt my business?

Not at all. An external test may be almost invisible (although, if you have a good security infrastructure, it will hopefully flag up any suspicious connection attempts). An internal test needn't be much more invasive: the tester simply requires access to your network so they can mimic the actions of a hacker.

If that makes you nervous, remember that the testers are looking to expose vulnerabilities, not to exploit them. No data will be compromised, no systems will be interrupted and no damage will be done. Still, it's worth making sure any senior stakeholders have been notified that a pen test is taking place so that they're aware of what's happening.

We perform vulnerability scanning; isn't that enough?

Vulnerability scanning is the process of inspecting potential exploitation points on a network and identifying security weaknesses. This has its value, but it will only give you limited information regarding configuration errors and vulnerabilities. Penetration testing is much more active and probing and a lot more revealing about the potential security problems in your network. Not only does it involve more rigorous and wide-ranging tests, but you can also expect to come away with detailed information and advice that's specific to your business and context.

How long does a pen test take?

Again, it depends on what you have asked the testers to do: tests can take as little as a few hours or last as long as a few weeks. Just remember that the pen testers' work isn't over when they log out or discontinue their simulated attacks; further time is needed to produce a vulnerability report, after which your business will need time to digest its findings and respond as needed. Indeed, there's a good chance that you will want to involve the testing agency in remedying any issues discovered, so it's worth thinking about keeping them involved for the long-term.

In the end, however, the decision is yours. Focus on what needs fixing urgently and be realistic about what's a long-term goal, or what might not be worth fixing at all given the risk analysis for your business. The value of pen testing is that it gives you the information you need to make these decisions.

Should you (and how do you) prepare for a test?

Absolutely! Since you're going to the effort of hiring penetration testers, we may as well ensure we derive the maximum benefits from the process. 

Related Resource

Taking a proactive approach to cyber security

A complete guide to penetration testing

A complete guide to penetration testing - whitepaper from CyberCxDownload now

In the interest of simulating an 'attack' that's as realistic as possible, internal IT teams would ideally not be notified of an incoming test before it has been completed and an external report has been compiled. This way, defences will be tested organically, with internal IT teams able to devise their own report accordingly, mirroring the process of an actual attack like a mock fire drill. The two reports can then be compared to highlight the differences between what was actioned in the attack, and what was picked up by the IT team.

Before the test team arrives, it can also pay to undergo a security pulse check, including basic patch management and applying hardware and software updates. Of course, patch management and general updating should be regularly undertaken regardless, but ensuring everything is completely up-to-date as a preliminary for penetration testing will mean that security measures are tested in their entirety.

Prepare also to work collaboratively with the test team. Sharing knowledge beforehand can save them time, and you money. Conversely, you should take the time to understand the methods and tools they will use to analyse your network. The more you understand, the more valuable the test.

Featured Resources

Defending against malware attacks starts here

The ultimate guide to building your malware defence strategy

Free Download

Datto SMB cyber security for MSPs report

A world of opportunity for MSPs

Free Download

The essential guide to preventing ransomware attacks

Vital tips and guidelines to protect your business using ZTNA and SSE

Free Download

Medium businesses: Fuelling the UK’s economic engine

A Connected Thinking report

Free Download

Most Popular

The big PSTN switch off: What’s happening between now and 2025?

The big PSTN switch off: What’s happening between now and 2025?

13 Mar 2023
Why the floppy disk may never die
Server & storage

Why the floppy disk may never die

27 Mar 2023
UK snares "several thousand" potential hackers in DDoS-for-hire honeypot
cyber crime

UK snares "several thousand" potential hackers in DDoS-for-hire honeypot

27 Mar 2023