Why, When and How Often Should You Pen Test?

August 21, 2018
|
co-authored by Elias Carbaguiaz
|
3 min read

A penetration test — or pen test, for short — is a simulation of a possible cyberattack against an IT system performed by a professional with no malicious intent. The main purpose of such tests is to find exploitable vulnerabilities before anybody else does so that they can be patched and addressed accordingly.

A pen test should end with the presentation of a formal document explaining and detailing all the findings. This document should contain at least two main sections: an executive summary where the tester or testers explain the process and findings in a high-level manner, and a technical summary where the more in-depth details can be explained.

Pros and Cons of Penetration Testing

Nowadays, companies of all sizes have a network presence, and the internet has made it easy for attackers to engage with companies around the world. A cyberattack can damage a company in many ways, not just economically. An organization’s brand, reputation and even intellectual property could be affected.

Listen to the podcast: Spotlight on Penetration Testing with Space Rogue

A penetration test can help an enterprise build a more robust and reliable security posture. With that said, not all companies should engage in a pen test, since they aren’t always particularly beneficial. Because of this, it’s important to evaluate whether or not a pen test will have value for your company.

Potential benefits of a pen test include:

  • Identifying possible security holes before an attacker can;
  • Identifying possible vulnerabilities in a network or computer program; and
  • Providing information that can help security teams mitigate vulnerabilities and create a control mechanism for attacks.

Some of the potential drawbacks are:

  • Outages to critical services if the pen test is poorly designed or executed, which can end up causing more damage to the company in general; and
  • Difficulty conducting pen tests on legacy systems, which are often vital to businesses.

When Should You Pen Test?

Some companies make the mistake of starting a pen test too early on a network or system deployment. When a system or network is being deployed, changes are constantly occurring, and if a pen test is undertaken too early in that process, it might not be able to catch possible future security holes. In general, a pen test should be done right before a system is put into production, once the system is no longer in a state of constant change.

It is ideal to test any system or software before is put into production. Most companies do not adhere to this recommendation because they are eager to get their return on investment (ROI) quickly. Companies might also fail to follow this best practice because a project has exceeded its deadline or budget. These factors make companies enthusiastic to push their new services live without having conducted the proper security assessments. This is a risk that needs to be evaluated and put in perspective when deploying new systems.

How Often Should You Pen Test?

A pen test is not a one-time task. Networks and computer systems are dynamic — they do not stay the same for very long. As time goes on, new software is deployed and changes are made, and they need to be tested or retested.

How often a company should engage in pen testing depends on several factors, including:

  • Company size. It’s no secret that bigger companies with a greater online presence might also have more urgency to test their systems, since they would have more attack vectors and might be juicier targets for threat actors.
  • Budget. Pen tests can be expensive, so an organization with a smaller budget might be less able to conduct them. A lack of funds might restrict pen testing to once every two years, for example, while a bigger budget might allow for more frequent and thorough testing.
  • Regulations, laws and compliance. Depending on the industry, various laws and regulations might require organizations to perform certain security tasks, including pen testing.
  • Infrastructure: Certain companies might have a 100 percent cloud environment and might not be allowed to test the cloud provider’s infrastructure. The provider may already conduct pen tests internally.

Pen testing should not be taken lightly; it has the potential to provide a critical security service to all companies. For some organizations, it might even be mandatory. But a pen test is not one-size-fits-all. Ultimately, understanding the company’s line of business is fundamental to successful security testing.

Read the interactive white paper: Preempt attacks with programmatic and active testing

Warren Perez Araya
SIEM Admin, IBM
Warren Perez Araya is a contributor for SecurityIntelligence.