Risk associated with cybersecurity threats and exposures motivate organizations to implement protective controls intended to keep their digital assets safe from malicious computer hackers. Firewalls are installed at the network perimeter to keep unauthorized users from accessing the private network. Anti-virus software is installed on computers and servers to enhance overall endpoint security. Sensitive data is encrypted and strong password policies are implemented. These are just a few examples of how organizations build their cybersecurity control framework to protect themselves from bad actors.
Business Protection Options
We display a similar strategy when protecting our physical assets. Our homes have locks on entry doors and windows, security systems to detect intruders, fences that prevent access to private property and camera surveillance to monitor for threats.
Protective controls are important to have in place, but it is equally important to test the effectiveness of the controls themselves. Have you ever left your home, shut the door and then reach back to jiggle the doorknob to make sure the door is latched and locked? This is an example of testing a protective control. The same concept applies to the digital world, we must test our cybersecurity controls to ensure they are working as intended.
One common way to test the effectiveness of cybersecurity controls is to conduct a penetration test. Penetration testing is an exercise in which an ethical computer hacker will simulate an actual cybersecurity attack against your organization. They will execute the same actions and behaviors of a malicious hacker to identify weakness with your cybersecurity controls. We tend to assume that our firewall is keeping us safe, like the assumption we make that our locked front door is keeping our home safe. But unlike our ability to jiggle the doorknob of the door, there is no tangible way to verify that firewall is working. This is why penetration testing is such a valuable exercise to complete.
The Inside Scoop on Penetration Testing
There are a few key benefits to completing a penetration test. You can:
- Test your assumptions about the effectiveness of your protective cybersecurity controls.
- Improve your cybersecurity controls after reviewing the test results.
- Help satisfy the burden of compliance with state or federal regulation, in many cases.
Penetration tests are completed in the following way:
- Planning – During this phase, the ethical hacker will establish agreed upon rules of engagement (ROE) with the organization. The statement of work (SOW) will then be determined and the simulated attack activities included will be accepted.
- Reconnaissance – During this phase, the ethical hacker will discover as much information about the target organization as possible so they can create a sophisticated attack strategy. They will search for publicly available information, obtain breached credentials and scan the network for common vulnerabilities and exposures (CVE) among other activities.
- Exploitation – During this phase, the ethical hacker will attempt to circumvent or compromise security controls by exploiting vulnerabilities or pre-disposing conditions discovered during the reconnaissance phase.
- Reporting – During this phase the ethical hacker will compile and document their efforts into report that provides their findings and recommendations for improvement.
It is recommended that penetration testing is conducted on a regular basis, at least annually if not more frequently. Deploying protective cybersecurity controls is a great accomplishment, but validating their effectiveness is what truly matters.
Schedule Your Penetration Test with Great Lakes Computer Corporation
If you’re interested in learning how effective your organization’s cybersecurity is, conducting a penetration test is a worthwhile option. We take the security of your business seriously. Penetration Testing is a great place to start but it is just a small part of our Security Stack—a modern and comprehensive solution set designed to protect your organization. Find out how your current systems hold up against a cyberattack. Contact us to learn more about our testing services.