How to choose the right penetration test for your organisation

Oct 28, 2018 · Guest post from Mike James with Redscan

Screen shot 2018 10 28 at 5.33.40 pm

Regularly testing your cybersecurity defenses is now considered essential. As cyber-crime evolves and the techniques used become more sophisticated, it is important for businesses to identify and address vulnerabilities, and understand how well equipped they are to detect and defend against attacks.

One of the best ways to assess your organisation’s cyber security is through penetration testing. But if your operation lacks cyber security expertise, the prospect of this sort of test can be daunting, especially if you do not fully understand it. Here we look not only at penetrating testing, and the various types of test available but also how to select the right type of test for your business.

What is pen testing?

Penetration testing (also known as pen testing) is a form of ethical hacking in which cybersecurity specialists will attempt to pinpoint, safely exploit and help address potential weaknesses that exist across IT infrastructure. Through pen testing, it is possible to learn a lot about the current state of your organisation’s cyber defences and the areas that need to be strengthened in order to mitigate the risk of suffering damaging breaches.

Choosing the right test for your business

Just as there are many forms of ethical hacking, there are many different types of penetration tests. The needs of every business are different, so there is no one-size-fits-all pen test.

Instead it is important to choose the type of assessment that is most relevant to your IT architecture and will offer the great benefit. Most penetration tests are conducted over a couple of days so it’s important to focus on the areas that are likely to represent the greatest risks.

Some of the most common types of penetration test include:

- Network pen testing – there are actually two different forms of network pen testing. Internal network pen testing is conducted within a network to establish how an employee or contractor could conduct an insider attack. External pen tests are conducted from outside the network perimeter and are designed to evaluate external-facing systems such as web, email and FTP servers.

- Wireless pen testing – this form of testing focuses on a business’s wireless local area network (WLAN) as well as any other wireless infrastructure across the organisation. It can help to identify rogue access points and encryption weaknesses.

- Web application testing – websites and web applications are commonly targeted by hackers and cyber-criminals as a means of compromising your systems and data, including customer payment information. Web application testing looks for issues found in the code and design of applications.

- Mobile application testing – mobile devices are an important part of most modern businesses, but they can also present unexpected cyber security challenges. Mobile app testing can be carried across popular operating systems and identify security vulnerabilities affecting authorisation, authentication, session handling.

- Build and configuration review – insecurely configured devices such as servers, routers and firewalls could provide attackers with an easy route into your business. By systematically assessing devices, operating systems and applications, a build and configuration review can help identify and address weaknesses before they are exploited by criminals.

Other factors to consider

Choosing the right test for your business can also depend on additional factors, such as the size of your networks and the budget that you have in mind for the testing. It may also be the case that you are having this testing carried out in order to establish or maintain compliance with regulations and standards such as the GDPR and PCI DSS. In the case of the latter, you will need to ensure that any testing is focused around your organisation’s cardholder data environment.

In order to determine the type of test that is right for you, it’s is advisable to seek the advice of a specialist pen testing provider. They will be able to help you identify and scope the best kind of testing for your needs. They can then work with you on an on-going basis to help to improve your organisation’s overall security posture over time.


Mike James

Mike James is an independent writer and cyber security specialist, based in Brighton. In conjunction software company Redscan, Mike has authored many articles on penetration testing, MDR, the GDPR and much more for some of the leading authorities on the matters - in both online and print magazine formats.

Read Complete Article

RT @swiftscaleco: Great to see the Tech for Social impact sector growing so quickly in the UK with 490 startups raising over £1B in VC fund…

I am deeply frustrated about the delay to Crossrail. @TfL & @transportgovuk will continue to hold new leadership to…

Challenge your #AI skills and show how they can change the world of business at the #HackXLR8 hackathon during #LTW…

RosieReality, a Swiss startup using AR to get kids interested in robotics and programming, scores £2.2M seed

Sri Lanka's president confirmed the country's Easter Sunday bombings were carried out by Isis