Now you want to go further and find out what other ways an attacker could get into your servers, sabotage your shipping, or steal confidential information on your resellers and end-customers, including their payment details.
A penetration test sounds like the answer. But just what will it tell you – or rather, what won’t it tell you?
Yes, We Broke Into Your System, But…
Suppose the test shows that your IT resources can be attacked and exposed. A penetration test is typically a more complicated operation than the more general vulnerability counter-measures taken by your IT team.
The pen test might look for an attack path that consists of several steps and possibly several attack techniques, such as phishing, hash attacks, or a denial of service attacks and reveal further holes. But that may just reveal one very specific attack path. What if there are others?
OK, We Broke In and There Were All These Holes
So now you know where more of the holes are. Will you fix all of them? If you don’t fix them, you’ll have known problems that you are not addressing.
A penetration test won’t tell you how to solve things. Some attack paths, albeit successful, may be so complicated that they challenge the understanding of your in-house IT team.
A pen test won’t explain fundamental IT security rules or information security awareness, either. Yet these things properly applied might have already limited the number of holes the pen test found.
Well, No, We Didn’t Get Into Your System
Wow, that’s a relief! Or is it? This proves only that your testers did not get into your system with their tools and the knowhow they possess. Depending on what they tried and how competent and diligent they were, you might be able to estimate the probability of being successfully attacked. However, that probability will never be zero. Total security, like zero risk, doesn’t exist.
Things Will Be Different Again Tomorrow
IT systems and networks change continuously. Systems are too sophisticated now to be tested in every possible way before release. After release, more or less security holes or other bugs are discovered.
Vendors release patches, updates, and upgrades to deal with these. If you don’t install them, you leave yourself open to known problems. If you do install them, your systems change, closing some holes and perhaps opening others. A pen test done today may not be valid in a few months’ time, for these reasons.
What Can You Do About It?
Penetration testing can be useful. It can give you valuable information about the security of your IT systems and network. However:
- Make your own IT security preparations beforehand to make sure a pen test doesn’t just show basic vulnerabilities.
- React to successful attacks via pen testing to at least make it harder for attackers to get a foothold inside your systems or to exploit such a foothold.
- Continue to keep your IT security guard up whether the pen tester succeeds or fails.
- Run all of your chosen IT security tests regularly and frequently.
Have regular penetration tests kept your IT systems secure? Let us know your thoughts in the Comments section below.
To follow up on the tips in this article, download your free guide, How COOs at Los Angeles Distributors and Manufacturers Get More Done: A Guide to Productivity, Data, Staffing, Delegation, and Making It Home for Dinner Most Nights.