Do You Really Know What A PenTest Is?

Ethical Hacking

Annual Network Penetration Testing (PenTesting) is now considered to be an industry best practice for asset and wealth managers, but do you really know what a PenTest is?

You might not. And that’s not a failing, because there are multiple types. If you’re an asset or wealth management professional, this is what you need to know about PenTesting – and what you should procure if you’re planning on having a PenTest completed by the end of the year.

External Penetration Testing

This test only tests your firewalls as if you were a criminal hitting the firewall from overseas. These tests occur every day, from numerous different countries, by criminals attempting to break into you network. This is what many people associate with the term, ‘PenTest’, but this is not a comprehensive test and will not provide an appropriate measure of your systems protective health.

Internal Penetration Testing

In tandem with external penetration testing, you should include Internal testing. There are two types of internal PenTesting; it’s important that you know the difference.

Vulnerability Scanning

This is an automated scan of your internal systems software to determine how well those systems are patched and upgraded. Remember our recent coverage of the Google Chrome vulnerability – that vulnerability is an example of how your network can be exposed if your IT team is not regularly patching and upgrading all of your users’ computers and other internal systems. Poor patching and upgrading is one of the primary causes that leads to companies being compromised by cyberattacks.

While vulnerability scanning is often referred to as a Penetration Test, it is technically not a pentest. Instead, to be considered a Penetration Test, you must also conduct ethical testing in tandem with vulnerability scanning.  Read on…

Ethical Testing

Ethical testing – e.g., simulated hacking – is a task carried out by an experienced cyber professional acting as if they were an actual hacker attempting to compromise your system and to steal your data.  Normally, the PenTester will use the vulnerability scanning results to plan and conduct multiple attacks against vulnerable systems or software.

It’s important to understand the distinction between these two activities because BW Cyber believes it is critical to perform an external test as well as an internal vulnerability assessment in tandem with ethical testing (e.g., “attempted hacking”) when you conduct your annual PenTest. If you don’t confirm this scope with your cyber vendor, you may be paying what you think is a lower fee for a much lower fidelity test (or even worse, you may be paying a higher fee for a poor quality test). Lastly, be aware that many IT vendors who are not cybersecurity vendors often do not have the ethical testing skills on staff to conduct true penetration testing (e.g., simulated hacking).