Penetration testing — the process of trying to break into one’s own system to find vulnerabilities before cybercriminals do — is an integral part of information security. The data gleaned from these evaluations can help companies remediate flaws in their security infrastructure before fraudsters have a chance to expose them.

Dispelling Eight Penetration Testing Myths

Penetration testing is critical for organizations across all verticals, especially those that are subject to data privacy laws and regulations. Before investing in the personnel and resources required to conduct penetration tests, however, it is important to dispel several myths about the practice.

1. Penetration Testing Is the Same as Vulnerability Assessment

Vulnerability assessments include identifying and classifying known vulnerabilities, producing a list of prioritized flaws that require attention and recommending ways to fix them. Penetration tests, on the other hand, simulate an attacker’s actions. Results should include a report of how the tester undermined security to reach a previously agreed-upon goal, such as breaching the payroll system.

2. All Penetration Testing Tools Are Created Equal

Many penetration testing tools exist in the market, and testers should use a variety of solutions. Most veteran testers also build custom tools to go beyond the normal scope of testing. Of course, proper testing requires skill. Saying that anyone can use a pen testing tool effectively is akin to saying that anyone who knows how to use word processing software can win a Pulitzer Prize.

3. Automated Security Testing Is Just as Good as Manual Penetration Testing

Many organizations use a blend of automation and human-driven security testing, but let’s be clear: Automated testing is scanning, not true penetration testing. Both have value, but humans find ways to break systems that, at least as of now, machines do not. Experience, creativity and curiosity are at the core of pen testing, which generally picks up where automation ends.

4. Penetration Tests Only Evaluate Technological Weaknesses

Penetration testing can include social engineering. As such, it is important to establish before testing whether technology will be evaluated exclusively. In some cases, analysts may be authorized to do more, such as scan social media for exploitable information or attempt to phish sensitive data from users via email.

5. Penetration Testers Must Be Ignorant of the Systems They Target

Both people who have knowledge of the intended target system and those who do not can conduct penetration tests. In fact, people who understand the system can provide additional insights, since they know exactly what to look for.

6. Only Outside Parties Can Conduct Penetration Testing

Penetration testing can be conducted by employees, contractors or other external third parties. Ideally, external testers periodically check the work of internal testers. Depending on the potential risk or loss of business continuity, various tiers of security testing are often built into the life cycle of a system or product. Don’t be afraid to look for outside assistance: Finding vulnerabilities before they’re in the hands of cybercriminals is a much better investment than cleaning up the mess.

7. Penetration Testing Is an Optional Luxury for Big Companies

Some laws and industry standards require penetration testing. Health care providers, for example, conduct tests to ensure that they adequately protect medical data. Meanwhile, banks must test their systems to maintain compliance with the Gramm-Leach-Bliley (GLB) Act, and any business that accepts or processes credit cards must conform to the Payment Card Industry Data Security Standard (PCI DSS). Penetration test results are sometimes cited as evidence of proper compliance.

8. Penetration Testing Is Always Proactive

Penetration testing can be proactive or reactive. Ideally, tests are performed to help prevent a breach. However, penetration testing during post-breach forensic analysis can help security teams understand what happened and how — information that can also help an organization prevent similar breaches in the future.

Learn More

When done right, penetration testing can help organizations identify security flaws before cybercriminals can exploit them. To learn how IBM is changing offensive security across multiple industries, listen to this recent podcast featuring the Global Head of X-Force Red, Charles Henderson. You can also try a demo of the X-Force Red team’s penetration testing services.

Read the interactive white paper: Preempt attacks with programmatic and active testing

More from Data Protection

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Resilient Companies Have a Disaster Recovery Plan

Historically, disaster recovery (DR) planning focused on protection against unlikely events such as fires, floods and natural disasters. Some companies mistakenly view DR as an insurance policy for which the likelihood of a claim is low. With the current financial and economic pressures, cutting or underfunding DR planning is a tempting prospect for many organizations. That impulse could be costly. Unfortunately, many companies have adopted newer technology delivery models without DR in mind, such as Cloud Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS)…

Millions Lost in Minutes — Mitigating Public-Facing Attacks

In recent years, many high-profile companies have suffered destructive cybersecurity breaches. These public-facing assaults cost organizations millions of dollars in minutes, from stock prices to media partnerships. Fast Company, Rockstar, Uber, Apple and more have all been victims of these costly and embarrassing attacks. The total average cost of a data breach has increased by 2.6% since 2021 and is now $4.35 million. Organizations that don't deploy zero trust security models also incur an average of $1 million more in…

How the Mac OS X Trojan Flashback Changed Cybersecurity

Not so long ago, the Mac was thought to be impervious to viruses. In fact, Apple once stated on its website that "it doesn't get PC viruses". But that was before the Mac OS X Trojan Flashback malware appeared in 2012. Since then, Mac and iPhone security issues have changed dramatically — and so has the security of the entire world. In this post, we'll revisit how the Flashback incident unfolded and how it changed the security landscape forever. What…