Skip to main content

Penetration Tests (How it works and do you need one?)

managed IT Services | Cyber Security

Today, many businesses are receiving penetration tests, and you might wonder why. What kind of benefits will a penetration test provide your business? Is it worth it? As a managed service provider, we often recommend that clients receive penetration tests in addition to managed IT support. 

 

This is because penetration tests offer a different value than the services provided by an MSP.  Even if you don’t have an MSP supporting your business, but instead in-house IT support, having a penetration test done to your business is very advantageous. To learn more about what a penetration test is and whether or not it is worth having one done on your business, check out the rest of this article.

What is a penetration test? 

A penetration test identifies vulnerabilities and weaknesses within the tested area and attempts to exploit security controls, authentication mechanisms, and configuration permissions to attack the environment. The goal is to identify vulnerabilities before a malicious actor can exploit them. An Ethical Hacker performs the penetration test. 

The Ethical Hacker’s job is to test every possible way to get into your company's network, using approaches a real hacker might use. During the penetration test, the Ethical Hacker attempts to:

  • Gain access to restricted information, user accounts, and sensitive information
  • Move laterally from one environment to another when access is restricted
  • Uncover protected data and other opportunities to compromise the confidentiality, integrity, and availability of business records
  • Mount the domain controller, printers, cameras, IOTs, workstations, and other assets
  • Identify the level of sophistication needed to deploy ransomware or malicious files

What is the difference between a vulnerability assessment and a penetration test?

Every day new vulnerabilities are discovered in hardware, software, code, and cloud environments. These vulnerabilities are published to a repository, and each year the list grows. In 2020 the list exceeded 18,000 new published vulnerabilities. 

A vulnerability assessment is an automated process to identify if the testing environment includes any vulnerabilities published to the publicly available list of well-known vulnerabilities.

A penetration test is a manual process to identify how an attacker could move laterally through an environment to escalate permissions, access sensitive information, or compromise the environment.

 

 

 

Vulnerability Assessment

Penetration Test

Goal

Identify well-known vulnerabilities

Exploits vulnerabilities to gain access to the system and emulate a hacker-in-the-wild.

Outcome

List of Vulnerabilities by Asset and recommendations to remediate

Narrative description of attack scenario, prioritized list of vulnerabilities, detailed remediation instructions

Scope

Automated

Manual testing – with high skill level

Performed by

Tool based primarily

Experienced Penetration Tester (aka Ethical Hacker)

Value

Cost-effective method of identifying well—known weaknesses

Provides an in-depth understanding of security posture

Frequency

Quarterly

Annually

Cost

Less

More

Report

Baseline of vulnerabilities

Identified vulnerabilities and instructions to reduce cyber-risks

 

How often is a penetration test needed?

Most businesses hire a third-party penetration tester (aka Ethical Hacker) annually. Penetration tests can also be necessary when significant changes are made to your business’s staff or infrastructure. The test can last anywhere from 1 week to 1 month. The average is 2 weeks.

What types of businesses need a penetration test?

Some organizations are regulated and required to perform penetration tests annually. The most common industries that are required to perform penetration tests are financial institutions and health care companies. 

For businesses that do not require penetration tests, you should still consider a penetration test. Waiting for a real-world cyber-attack is a risky and expensive strategy. 

How much does a penetration test cost?

It depends on the scope and size of the organization. The penetration testing team identifies the critical assets and works with your business to scope how long it will likely take to test the environment. Most engagements last one to two weeks and are provided as a fixed-price contract. Actual pricing is provided in a written proposal after the scoping meeting.  

Why would a business consider a penetration test?

When you receive a penetration test, your business will better understand any vulnerabilities in your environment. Here are the top 5 security benefits you receive by performing a penetration test on your business:

  • Protect client records, employee data, and Intellectual Property
  • Avoid reputational damage due to a cyber-attack
  • Uncover unknown vulnerabilities before cybercriminals do
  • Reduce the risk of a business shut down due to a ransomware attack
  • Prioritize cybersecurity strategies and IT investments

Additional reasons to perform a penetration test:

  • Comply with regulations
  •  Identify the business’s resistance to cyber-attacks.
  •  Develop a strategy to reduce cyber-risks – blind spots.
  •  Nearly all business functions rely on technology. Without networks, cloud, and applications, business comes to a halt, and profits are reduced.
  • Cyber insurance is no longer the answer. Premiums have sky-rocketed, and some business types can no longer buy cyber insurance. 
  • State Business Laws
  • New York State’s “SHIELD ACT” and Massachusetts’s “Breach Notification Law” require organizations to protect data by implementing cybersecurity safeguards. 

 

Penetration testing is a proactive approach to improving your security year after year and threat after threat. It is a great way to test your current cybersecurity tools and enhance them based on your penetration assessment.

 

Why don’t managed service providers offer penetration testing?

Penetration testing is performed by Ethical Hackers who are specialized information security professionals. These IT professionals are hired to test the environments managed by an MSP.  An Ethical Hacker, aka Penetration Tester, emulates a hacker-in-the-wild to identify security weaknesses in networks, cloud, wireless, and web application environments.

In other words, Ethical Hackers use the same tools and techniques as malicious actors to circumvent the security controls that an MSP team implements.

Business leaders require an independent third party to test the resilience of networks and environments maintained by an MSP. This also ensures that the penetration test is unbiased and not going to overlook any security vulnerabilities to make the MSP look better.

 

Wondering if penetration testing is right for you?

At Usherwood, we offer risk assessments and vulnerability assessments to clients but not penetration testing. Although we do not offer penetration testing, we do highly recommend that our clients receive them to make their environment even more secure. If you are interested in learning more about how penetration testing differs from vulnerability assessments and risk assessments, check out this article: Penetration Tests vs. Vulnerability Assessments vs.Risk Assessments.