Can my business be hacked?
What is a Penetration Test?
A Penetration Test, often called "red teaming" or a "red team exercise" is the practice of simulating as closely as possible the effect that cyberthreats could have on your business. It is a simulation of a real-world attack on targeted assets using the same tools and techniques that modern criminals use. This is done by understanding who your threats are, their capabilities, motivations and targets and "hacking" your systems the way they are.
Many so-called "cybersecurity companies" have done a good job of confusing buyers and generating interest in Penetration Testing. This is because breaking things is easier than fixing them, and they aren't very good at fixing things.
Should I do a Penetration Test?
That depends. A Penetration Test can be a valuable part of your cybersecurity program if you know what to do and when to do it. It can be a powerful motivator for businesses to experience "the reality of cybercrime". It can also help identify cybersecurity risks under the context of a live simulation.
You SHOULD NOT do a Penetration Test:
- To prove that your business can be hacked
- To prove that your business is vulnerable
- Because it sounds cool
You SHOULD do a Penetration Test:
- To test your cybersecurity controls after they have matured
- To identify exploitable vulnerabilities in critical assets, including money, intellectual property, credit card applications, critical infrastructure and other crown jewels
- To satisfy PCI, NERC and other compliance requirements
- After significant changes to your business or infrastructure
What kind of Penetration Test do I need?
There are many threats to your business, understanding who they are will help you conduct a good Penetration Test. Understanding their motivations, resources and targets will make it even better. We help with all of the above. Nearly all threats will fall into one of the following categories:
You can simulate their attacks by one or more of the following Penetration Testing types:
- Scenario-Based Test - Simulation of a specific threat or threat sources, depicted by the scenarios illustrated here.
- Target-Based Test - Focused testing of a specific application, subnet, location, people or other assets, typically considered "purple teaming".
- Advanced Persistent Test - An extension of a Scenario-Based Test over a prolonged period of time.
How is this different than a Vulnerability Assessment?
There are important differences between a Penetration Test and a Vulnerability Assessment. Put simply:
Which one should you do? The answer is probably "both", depending on the problem you're trying to solve, the maturity of your cybersecurity controls and your regulatory requirements.