What is the End Result of a Penetration Test and Why is it so Critical?

In terms of cybersecurity, every organization exists in a zero-trust environment. Cyberattackers are smart, clever, motivated, and relentless. 

So, how does an organization remain ever vigilant? Penetration testing is a big part of the answer.

Many, if not most, organizations think that all they need is a strong firewall to keep cyberattackers out of their networks and systems. It’s a logical way to think — but it’s completely wrong. Cyberattackers have an annoying habit of breaching firewalls, which only address the external environment.

The Importance of Looking Inside

Consequently, organizations need a way to protect their internal environments — once inside, cyberattackers can navigate laterally, for months at a time, looking for all sorts of vulnerabilities that can be exploited for fun and profit. Even scarier is that they potentially could become a system administrator, which would enable a cyberattacker to take control of every device that is operating on the network.

Often a penetration happens as a byproduct of a seemingly benign interaction. Throughout the day, all of us communicate with various websites for all sorts of reasons, and data is being transmitted back and forth continuously. However, if the website with which your computer is interacting has been compromised by a cyberattacker, you now have unwittingly opened a tunnel into your organization’s networks and systems — and no firewall, no matter how sophisticated, is going to prevent that from happening.

What Is the End Result?

That’s where internal penetration testing comes into play. It involves discovering all of the systems that comprise the organization’s communications network and all of the devices that operate on those systems. Once that knowledge is gained, penetration testing then is used to identify all of the vulnerabilities that exist in the overall network, each system, and each device.

Penetration tests simulates how a cyberattacker might gain access to the network environment and then what will happen to systems and devices afterwards. A thorough penetration test should be conducted at least annually, though quarterly would be better.

A common example of a penetration test is to stage a faux phishing exercise. If we were to do this for our firm, we would send our personnel emails that contain a fake malware attachment. Our email address uses “missioncriticalpartners.com” as the domain name, so the penetration test would use “missioncriticalpartners.net.” Then we would watch what happens, i.e., how many people open the email – which is bad enough – but then open the attachment, thinking that a colleague had sent it. Spoiler alert: this type of penetration test works every time. But armed with this evidence, the organization can do something about it.

Establishing an effective cybersecurity posture is like cooking a delicious stew. A stew has multiple ingredients, and if any of them are missing, the stew isn’t as good — imagine leaving the beef out of a beef stew. Cybersecurity requires continuous network and system monitoring, penetration testing, vulnerability scanning, improved policies and procedures — especially pertaining to passcode/passphrase management and multifactor authentication — configuration management, and more.

The differences between penetration tests and vulnerability scans will be explored in a future blog — they sound very similar, but they are not. In the meantime, we would love to help you develop a comprehensive cybersecurity strategy that aligns with your needs and resources — please reach out.

Richard Osborne is MCP’s director of commercial services. Email him RichardOsborne@SecureHalo.com.