What is it?
Authorized testing of a computer system or network with the intention of finding vulnerabilities. Also called pen testing.
Why is it important?
A cyberattack can harm not only your organization, but also customers, partners, employees, and vendors. Penetration testing can reveal vulnerabilities, suggest improvements to your systems, and reduce risk for your organization. In addition, penetration testing is encouraged and even required by certain industry standards.
Why does a business professional need to know this?
Cybersecurity experts use automated penetration test tools to scan network resources and find vulnerabilities. They use another toolset to hack into any vulnerable resources they find. Testers employ tools to monitor or map networks, spy on web traffic, scan systems or apps for weaknesses, and crack passwords.
Exploiting vulnerabilities differentiates penetration testing from merely assessing security. A white-hat attack gives administrators hands-on experience at defending their system and identifying the methods an attacker might use. The result of penetration testing is usually a report describing vulnerabilities in the system or in security policies. Rather than just proving whether a system can be hacked, a penetration test report explains how to improve the system and reduce risk for the organization.
Penetration testing is required by the Payment Card Industry Data Security Standard (PCI DSS)(PCI-DSS). It also meets the requirement for a vulnerability assessment under ISO 27001, the ISO standard for information security management systems.
Penetration testing is recognized by many organizations as a best practice, even when it is not externally required. For example, in 2016, the US Department of Defense (DoD) invited hackers to probe Pentagon computers. More than 1,000 hackers signed up. They found more than 100 bugs and were paid tens of thousands of dollars in reward money. The DoD has since duplicated the experiment with Army systems and DoD web resources, with similar results(Pellerin 2016).
You will never hear a news story about penetration testing that prevented a breach. The objective of penetration testing is to combine the wisdom of people with effective tools to proactively scan an environment for weaknesses. When done properly, weaknesses identified by penetration testing are scheduled for remediation as soon as possible based on the potential impact of the weakness.
- (Pellerin 2016) The Pentagon Opened up to Hackers and Fixed Thousands of Bugs: Newman, Lily Hay (2017). Wired. Details about the U.S. Department of Defense bug-bounty project called
Hack the Pentagonin which the agency offers cash rewards to independent hackers who find and disclose software bugs and other vulnerabilities.
- (Steinberg 2017) Eight Myths Not to Believe About Penetration Testing: Steinberg, Joseph (2017). Practical advice on adopting and investing in penetration testing. The author dispels several myths about the practice.
- (Solomon 2016) Only do penetration tests if your security program is up to it, say experts: Solomon, Howard (2016). IT World Canada. Discussion of the importance of an organization’s cybersecurity maturity as a critical success factor in adopting penetration testing.
- (MacMillan 2017) The Penetration Tester Who Your Boss Hires to Hack Your Email: MacMillan, Thomas (2017). New York Magazine. An interview with a white-hat penetration tester.