What is Penetration Testing and Why Should Your Organisation Use It?
Falanx views penetration testing (also known as ‘pen testing’ or ‘ethical hacking’) as: “a method for gaining assurance in the security of an IT system by attempting to breach some or all of that system’s security, using the same tools and techniques as an adversary might.”
Penetration testing is a core tool for analysing the security of IT systems, but it’s not a magic bullet.
Penetration testing should be viewed as a method for gaining assurance in your organisation’s vulnerability assessment and management processes, not as a primary method for identifying vulnerabilities.
A penetration test should be thought of as similar to a financial audit. Your finance team tracks expenditure and income day to day. An audit by an external group ensures that your internal team’s processes are sufficient. Equally, you should know what the penetration testers are going to find, before they find it. Armed with a good understanding of the vulnerabilities present in your system, you can use third-party penetration tests to verify your own expectations.
Our highly experienced penetration testers may find subtle issues which your internal processes have not picked up, but this should be the exception, not the rule. The aim should always be to use the findings of a penetration test report to improve your organisation’s internal vulnerability assessment and management processes.
What Will a Penetration Test Tell You?
Typically, our penetration tests are used to identify the level of technical risk emanating from software and hardware vulnerabilities. Exactly what techniques are used, what targets are allowed, how much knowledge of the system is given to our testers beforehand and how much knowledge of the test is given to system administrators can vary within the same test regime.
A well-scoped penetration test can give confidence that the products and security controls tested have been configured in accordance with good practice and that there are no common or publicly known vulnerabilities in the tested components, at the time of the test.