Dec 072012

Penetration testing is a part of vulnerability scanning, and in fact it takes vulnerability scanning to the next level.  As such penetration testing may not always be necessary for every business, or maybe it is necessary for a segment of your business operations.  Penetration testing essentially involves taking the actions a hacker would take, trying to gain access to your network, and seeing how far and how much you can exploit the network and physical location(s).  So let’s take a look at how proper penetration testing should be carried out.

  1. The first step is determining the procedures for how you will go about performing a vulnerability test.  Will you use an outside vendor to either perform the testing or assist?  Just a tip:  a third party expert will most likely find holes where you would never expect.  What steps will you take from an external as well as internal perspective?  Who will be involved and what areas of the business and network will you test? 
  2. You should conduct a pentration test before and after conducting a vulnerability scan.  Don’t just assume because you have scanned your network and fixed all active issues that everything is ok.
  3. Setup externally through either another network or nearby wireless network to conduct external penetration testing.  Setup a test user account to conduct penetration testing internally.
  4. Consider physical pentration testing as well, especially if you utilize any type of electronic/biometric systems. 
  5. If issues are identified, involve the entire organization to determine how vulnerabilities will be addressed and by whom.  For example what is the chain of command for notification of issues?  How would marketing/PR, legal, HR, etc., respond?  How do issues uncovered compare with previous issues found in prior testing?  Conduct penetration testing as part of your regular Business Continuity/Disaster Recovery Plan (BCP/DR).

There are quite a few technical elements to penetration testing and there will be widely varying requirements depending on your organization.  This blog post covers the high-level basics to get you started, and if you have any further questions or comments, please feel free to list below.