Amid efforts to expose cybersecurity vulnerabilities in a network before an attacker does, penetration testing, also referred to as a pen test or a white-hat attack, continues to gain momentum as a viable means to detect weaknesses in an organization’s network infrastructure.
If the term penetration testing is foreign to you, it is not as intrusive as it sounds. The objective of a penetration test is to provide information technology (IT) and system managers with critically needed intelligence regarding their organization’s security vulnerabilities. Whether the testing is performed manually or via sophisticated automation tools, it is best conducted by a third party that can use the same tools many hackers rely on. Many of these tools are widely available, arming testers with a better understanding of how they can be used to attack an organization.The idea behind a penetration test is to help mission-critical agencies learn more about their networks and systems and the related cybersecurity risks. The most effective testing not only assesses the network infrastructure, it also evaluates the applications and software operating on it, as well as the security practices and knowledge of the employees working within the agency.
For example, if the testing exercise gains access to a system because an employee clicks on an email that resembles a phishing attempt, the penetration test has highlighted a weakness in the employee cybersecurity training program. Now that the agency understands where the vulnerabilities lie, it can better prioritize where it should invest its cybersecurity resources and enhance its education efforts with a focus on how to spot a phishing email so that a similar attempt by a hacker is thwarted in the future.
How Often Should Penetration Testing be Conducted?
Mission-critical agencies that are operating IP-based networks and systems are far more susceptible to cyberattacks than they have been in the past. In fact, the Federal Bureau of Investigation (FBI) advises that it is no longer a question of if, but rather when, a mission-critical communications network is going to be attacked. To proactively guard against these threats, penetration testing should be performed regularly—at least once a year, but quarterly or monthly is better—to fully understand the agency’s network and systems and their cybersecurity risks. Until risks are identified, it is impossible to prioritize , assess and address them. This frequency is also recommended because hackers most assuredly are adjusting their targets continually.
Penetration testing also can be conducted when the agency:
- Adds new, or upgrades existing, infrastructure and/or applications
- Modifies end-user policies
- Moves into a new facility
Recommended Penetration Testing Steps
MCP recommends that a third party executes the penetration test and completes the following steps, at a minimum, to expose potential vulnerabilities:
- Phishing attempt: During this exercise, internal users are tested using mock phishing emails and/or webpages that are sent to employees in a controlled manner. Doing so provides the IT team with a baseline metric, i.e., what percentage of the staff succumbed to the attack, so that the metric can be improved upon over time
- Vulnerability discovery: This exercise recognizes holes in the network infrastructure, computers, hardware system, etc., that can be the main source of malicious activities
- Port scanning: This exercise enables testers to find all open network entry points available on a system, which provide hackers with a gateway for unauthorized access to the network
- White-hat hacking attempt (also known as an ethical hacking attempt): This is an effort conducted by professionals who have explicit permission from the agency to attempt to find security holes via hacking
A Word of Caution
Because the cybersecurity climate and environment is changing constantly, and cyber criminals are growing in sophistication every day, performing a penetration test does not eliminate the possibility of a cyberattack. However, it is an effective strategy for mission-critical communication organizations to gain a high-level understanding of the cybersecurity risks to their operations. It is also a critical step in developing a proactive cybersecurity plan and crafting related policies and procedures.
If you are looking for guidance, please reach out. MCP offers a comprehensive cybersecurity assessment, NetInform Secure, designed specifically for public-safety entities and other critical-infrastructure organizations, to help them determine their network/system, data, and application vulnerabilities. We can help you develop a complete cyberattack prevention strategy. Contact us today to learn more.