Risk assessment is a critical first-step in the information security lifecycle. Network penetration testing offers an invaluable way to establish a baseline assessment of security as it appears from outside the organization's network boundaries. A penetration test involves gathering information about an organization's information systems and security infrastructure, and then using this information to attempt to identify and then exploit known or potential security vulnerabilities.
Read all of the installments in this penetration testing guide:
Introduction to penetration testing
Penetration testing strategies
Types of penetration tests
Penetration testing methodology and standards
Why penetration testing?
Penetration testing is one of the oldest methods for assessing the security of a computer system. In the early 1970's, the Department of Defense used this method to demonstrate the security weaknesses in computer systems and to initiate the development of programs to create more secure systems. Penetration testing is increasingly used by organizations to assure the security of Information systems and services, so that security weaknesses can be fixed before they get exposed. The frequency and severity of network intrusion, data theft and attacks caused by malicious code, hackers, disgruntled employees continues to increase and the risks and costs associated with network security breaches and data theft are astronomical. With every ebusiness initiative, the demand for secure, remote access to company networks is also increasing. The truth is, even well managed implementations, involving the latest hardware and software may be susceptible to misconfigurations or software flaws. These may eventually give an intruder access to sensitive information. Using penetration testing tools can significantly reduce the risk of this occurring.
While the principal objective of penetration testing is to determine security weaknesses in an organization's network infrastructure; it can have number of secondary objectives, including testing the organization's security incidents identification and response capability, testing employee security awareness or testing security policy compliance.
Reasons to perform a network penetration test
• A penetration test helps organizations to understand their current security posture by
identifying gaps in security. This enables organizations to develop an action plan to minimize the
threat of attack or misuse.
• A well-documented penetration test result, helps managers in creating a strong business case to justify a needed increase in the security budget or make the security message heard at the executive level.
• Security is not a single point solution, but a process that requires due diligence. Security measures need to be examined on a regular basis to discover new threats. A penetration test and an unbiased security analysis enable organizations to focus internal security resources where they are needed most. In addition, the independent security audits are rapidly becoming a requirement for obtaining cyber-security insurance.
• Meeting regulatory and legislative requirements are a must for conducting businesses today. Penetration testing tools help organizations meet these regulatory compliances.
• One of the core objectives of an e-business initiative is to enable close working with
strategic partners, suppliers, customers and others upon whom the ebusiness depends. To accomplish
this goal, organizations sometimes allow partners, suppliers, B2B exchanges, customers and other
trusted connections into their networks. A well executed penetration test and security audits help
organizations find the weakest links in this complex structure and ensure that all connected
entities have a standard baseline for security.
• Once security practices and infrastructure is in place, a penetration test provides critical validation feedback between business initiatives and a security framework that allows for successful implementation at minimal risk.
Continue to Part 2: Performing a penetration test
This was first published in February 2010