Penetration Testing Is Essential To Your IT Security Strategy

Let's face it, your company's IT department probably spends far more time chasing down solutions for security problems than it spends improving your delivery pipeline or keeping production running as smoothly as possible.

It's frustrating — of that there is no doubt. This is made especially true given how competitive the world of business has become. If you're not constantly focused on improving your system of delivery, you're already behind the game. You can't afford to get behind — not for a second.

But what do you do? Or, better yet, what should your IT department do?

Maybe now is the time your IT staff becomes proactive. Instead of constantly chasing the shadows of attacks, your company could employ the right tools to test for vulnerabilities. Once you locate said vulnerabilities, they could be patched and the systems on your network will be safer for the extra work.

In fact, your staff could even make use of the same kinds of attacks hackers use to breach your systems.

How? It's not as hard as you might think. With the help of penetration testing, you can locate those vulnerabilities. Once discovered, your IT department can set about patching the vulnerable servers and desktops. Or, if it's custom software that's the weakness, you could head back to your offshore software development team, and have them do the patching.

Either way, you must first locate those vulnerabilities with the help of penetration testing.

What is penetration testing?

Penetration testing (also called pen testing) makes use of very specific software to mimic cyber-attacks perpetrated by nefarious hackers to break into your network and the attached devices. These pen tests focus on any number of applications or systems, such as Application Protocol Interfaces (APIs), frontend or backend servers, databases, desktops, networking hardware, and various security software. 

When a pen test is run, it identifies and reports all discovered vulnerabilities on a system and determines if authorized access or other malicious activity can be achieved on the machines in question. Pen tests focus primarily on:

• Networks (and networking hardware)
• Application security testing
• Controls and processes related to networks and applications (such as APIs)

These tests should be run both from the WAN and LAN side of your network. Why? Because a hacker must be able to penetrate your network before doing any real damage. If that's possible, they then must access servers, routers, switches, or desktops via discovered vulnerabilities. 

The difference between vulnerability scanning and pen testing

You've probably heard of vulnerability scanning. The difference is really quite simple: a vulnerability scan identifies and reports back identified vulnerabilities. Once run, this type of scan will tell you that Application X has Vulnerability Y. 

With a pen test, it will not only scan for vulnerabilities but will also attempt to exploit the vulnerability to determine if a hacker can use it to nefarious ends. 

So a vulnerability scan will say, "Hey, you have a vulnerability in Application X," whereas a pen test will say, "Hey, you have a vulnerability in Application X and I was able to exploit it to gain admin access on your server!"

See the difference? You should, because that difference is crucial to the security of your company. There are hundreds of thousands of known vulnerabilities in the wild. Some of those vulnerabilities are harmless, while others can enable hackers to do very bad things with and to your systems. And although vulnerability scanning is a good start, it simply won't give you enough information to act on a level to benefit your company in real-world ways.

How do you carry out a pen test?

You're probably thinking this is the part where you learn that pen testing will cost your company an arm or a leg, or it's way above the pay grade of your IT staff.

It's not. In fact, thanks to a number of handy tools, pen testing is actually pretty easy. All you have to do is fire up one of the many pen-testing software titles, set a few configuration options, and let it do its thing. In fact, there are entire operating systems devoted specifically to penetration testing, including:

Kali Linux is the most widely used operating system for ethical hacking and pen-testing. This particular distribution includes a large number of pen-testing tools and also has some of the best documentation to be had on the subject of pen testing software.

BackBox is another Linux-based penetration testing operating system that is as easy to use as it is powerful. BackBox also includes its own software repository which contains the latest versions of a number of pen-testing tools.

Parrot Security OS includes more tools for pen testing than any operating system you'll find. This particular take on the pen testing platform also includes a few exclusive tools (created by Frozenbox Network) to help you test your network.

Even if the idea of a full-blown Linux distribution for pen testing seems daunting to you, the three platforms above really are your best bet. Although you could cobble together a collection of applications on your own, you're not going to do a better job than Kali Linux, BackBox, or Parrot Security OS. 

The only way you might best those platforms would be to use a third-party software outsourcing company that specializes in system security. Some companies do go that route and have had good success. But any company that wants the tools always at the ready, should take a look at one of these three pen-testing distributions.

Conclusion

It's not a matter of if but when your company will be the target of an attack. When that happens, you want to be ready. The best way to do that is to use penetration testing tools on your network and systems to determine what vulnerabilities exist and which are exploitable. Once you have that information in hand, you can act on it to greatly improve the security of your company.