Do You Really Need A Penetration Test?
The short answer is probably not.
But let’s start at the beginning. To truly answer whether you need a penetration test, you need to know why you need one.
- Are you uneasy about the security of your environment?
- Is a third party recommending you consider it?
- Do you need one to comply with certain regulations for your industry?
If you answered yes to number 3, then, unfortunately, you are going to have to bite the bullet. But if you aren’t required by regulations to run penetration tests on your environment, read on to find out what you should look out for and why it might not be needed after all.
What exactly is a penetration test anyway?
Also known as a pen test, it’s a simulated cyber attack on your network to check for exploitable vulnerabilities. Penetration tests are performed by third-party vendors who are unfamiliar with your network. Also known as “ethical hackers”, they are hired to intentionally hack into your system and find all of the blinds spots in an attempt to increase security. It can involve the attempted breaching of any number of application systems, to uncover vulnerabilities, such as unsanitized inputs that are susceptible to code injection attacks.
You might’ve heard that this is the best way to detect any vulnerabilities in your environment, but while that may be the case, it might not actually help you very much. Let’s dive into some of the downsides of doing a pen test.
It’s Expensive!
The price of a penetration test can range from a few thousand dollars for a non-complex business to more than $100,000 for complex enterprises. Even though the price clearly varies, the cost is often prohibitive for small to medium size businesses. And if you’ve found a more affordable option, make sure you know what you’re getting. A true penetration test involves real people spending real time hacking into your environment, not just software running remotely. That’s a vulnerability scan, not a penetration test. The line is blurry with some providers so make sure you ask for clarification.
So what is a vulnerability scan then?
Vulnerability scans are performed by automated tools with the goal of checking for known software vulnerabilities that could be exploited. There are two main types: unauthenticated and authenticated. An unauthenticated scan is performed as if an intruder without access to the network got in, while an authenticated scan is performed as a trusted network user, to show vulnerabilities accessible to each one. But once you have all of the information, what do you do with it?
They identify problems but provide no solutions!
Yes, a penetration test will identify the intricate blind spots in your environment and a vulnerability scan will let you know the issues with your business software, but now what? It’s like going to the mechanic and having them tell you EVERYTHING that is wrong with your used car. Ok, that’s great, but where do I even start? And do I really have to fix everything? All the penetration test will do is give you an assessment, then leave you empty-handed when it comes to making improvements. So basically, you pay thousands of dollars for the test but will still have to pay even more for an expert to come in and provide solutions for the vulnerabilities.
Furthermore, if your company is aware that it doesn’t have certain security measures in place already – like managed firewalls or updated antivirus services – then all the penetration test will do is tell you what you already know without providing you with solutions.
Now what?
Ok so now that we’ve told you all the downsides of a penetration test, you’re probably thinking, there’s no way for me to know if my network is truly secure, or if my internal IT department is actually doing everything they should be doing, or if my technology provider is taking care of everything. We might just have an answer for that…
Information Technology Gap Analysis
How Does It Work?
Our engineers will come to your office and evaluate your environment. That’s right, we come to you – we don’t just run some tests from behind our own computers and call it a day. But now that you mention it, we do run a vulnerability scan as well. We’ll find the weak points and put it together in a report that you can understand with action items organized by Business Impact: High, Medium, and Low.
High: Where you need the most help (Network Firewalls, Backup & Disaster Recovery, Outdated Infrastructure)
Medium: What’s in the middle – what should be fixed but not extremely crucial (Network exposure due to lack of multi-factor authentication, Network Permissions, Admin Rights)
Low: What’s “nice to have” but not necessary (Updating hardware/software that is out of warranty, S.I.E.M.)
So before you start that penetration test that only shows you what’s wrong, let’s talk about how you can Make IT Right with our Technology Gap Analysis.
Country Manager @ CTAIMA | B2B SaaS Scale Up
5 年This is so very true when you hire just anybody for this.? ?A penetration test is part of a cybersecurity risk management program, and as this post point out, you should be expecting at the minimum to receive a clear and actionable report, with a clear methodology for risk rating per criticality.? The report should also include clear steps for remediation.? And finally but not last, your penetration test should include a re-test, that validates your team fixed the findings correctly.? ?In the comparison with "bringing your car to the mechanic", a penetration tester is not an IT resource that can fix IT related problems, therefore is critical that you understand what the findings are and how your IT team can fix them (following the fix your car example: the mechanics works for the client, so the client have a way to remediate its findings); this is why you need a retest to validate the work is correctly done.? So yes, I agree you don′t need the kind of test described in this post.? But I disagree a company don′t need a penetration test, this is not correct.