What is pen testing and why is it important?
A penetration test is an authorized attack on a network to evaluate its security posture. The main focus of this exercise is to attempt to find a vulnerability in a company’s system and then exploit that vulnerability.
“When we undergo a penetration test, we’re hiring a company to ethically hack our system,” says Caroline McCoy, Director of Compliance at Bit-Wizards. “They’ll do it two different ways: externally and internally.”
During a penetration test, the first thing the security experts (a.k.a ethical hackers) do is try to gain access to your network from the outside, just like any real attacker would.
“But it’s more than just gaining access,” McCoy explains. “Once these ethical hackers find the hole, they exploit it to see how far they can get into the system. That’s where they’re able to find gaps that can’t necessarily be found during a vulnerability assessment, which is usually completed using an automated tool.”
McCoy says a penetration test is vastly different than a vulnerability assessment.
“In penetration testing, there is a human element which takes it a step further and the ethical hacker demonstrates the extent of damage that can be done once a vulnerability is found,” she says. “The security experts conduct studies on what hackers are doing, so they’re up to speed on how the bad actors are getting into business networks and compromising their systems in the real world.”
Penetration tests are important for businesses because they uncover security vulnerabilities before an actual attacker finds and exploits them.
“With pen testing, the goal is to try to be one step ahead of the hackers at all times,” McCoy explains. “Hiring an unbiased third party allows us to get a more holistic view of our security structure and take care of any potential risks before someone else finds it.”
The pen testing process at Bit-Wizards
Bit-Wizards undergoes two types of testing. The first is an external penetration test, which simulates an attacker trying to break into the network from the outside.
“External penetration testing usually starts with checking to see if there’s any open ports or weak passwords,” says McCoy. “I would say one of the top reasons hackers are able to get in is due to a weak password, and once they obtain a weak password, they can cause a lot of damage.”
McCoy says this is why it’s important to make sure you have multiple barriers set up internally.
“Everything is segregated so even if a hacker got in, they could do very little damage,” she explains.
The other type is an internal penetration test, which tests the system from within the network. This is meant to emulate an attacker who is successful in breaching the network externally or a malicious insider.
“The internal penetration test is meant to make sure we’re following best practices with our permission levels,” says McCoy. “The ethical hackers are checking to make sure employees have access to things they actually need to have access to.”
Bit-Wizards' pen testing results
After the penetration test is complete, Bit-Wizards receives a detailed report from the security experts, which provides a rating on a scale from 1 to 5, with 5 being industry practice.
“The results of the penetration test help us get a clear understanding of our security posture and fix issues that harden our security,” says McCoy. “Over time, our scores have continued to increase as vulnerabilities are found and remediated. In our last assessment, we received a score of 5 out of 5 on our external penetration test.”
Bit-Wizards also receives a spreadsheet of everything tested and whether any vulnerabilities were found with a ranking of low, medium, high, or critical.
“The report helps us determine what our priorities are for remediation,” explains McCoy. “We take all the information they give us into consideration, so we know what needs to be handled first. We get tested every six months, so the report also gives us a review of how we ranked since the last penetration test, allowing us to track our progress.”
Why pen testing is an investment in our clients
As a Managed IT Services provider, Bit-Wizards must invest in security.
“No company is safe from threats,” says McCoy. “In fact, because we are an IT company, we get a lot more threat than, say, the movie theater down the street. We always have to make sure we’re on top of our game and ahead of the hackers.”
McCoy says pen testing is not only an investment in Bit-Wizards, but in our clients.
“Bit-Wizards takes security very seriously,” she says. “Instead of going through a vulnerability assessment, which tends to be cheaper and less time consuming, we opt to invest in a penetration test twice a year, which is much more time intensive and expensive. By undergoing consistent penetration testing, we are obtaining unbiased feedback on our security processes. This helps prevent expensive and damaging breaches.”
Looking for a Managed IT Services provider that invests in your security? Contact Bit-Wizards today.