Pen Testing: What Is It and Why Is It Used?

Pen Testing: What Is It and Why Is It Used?

This is a thought leadership article by IT security specialist Lucas Vousten at PrimeGlobal member firm Joanknecht in the Netherlands.

What is the state of information security in your organisation? A pen test is a tool that helps you gain more insight into this. This article explains what a pen test is, how it works, and the importance of pen tests to ensure the security of information at your firm.

So, Lucas, you hear a lot about pen testing nowadays. What is that exactly?

A pen test, short for penetration test, is a test that is conducted to assess how strong the security of an IT environment is. This could involve a website, an application, an ERP system, or even a physical location. We examine how easy it is to penetrate that environment from the outside. We identify the weak points in the application or system concerned. Essentially, it’s a kind of legal or ethical hacking on behalf of the client.

How does a pen test work?

It depends, of course, on the customer’s requirements. Does the client only want us to try to gain access or do they really want specific information? There are three types of pen tests:

• Black box: the pen tester doesn’t get any information at all about the IT environment. As a tester you don’t know anything and you ‘just’ try to get in, whether through a web portal or a phishing email;

• Grey box: The pen tester gets a general overview of the IT environment. The tester gets a valid login account from a website, for example;

• White box: the pen tester gets insight into all of the systems and technologies that are used. The organisation being tested provides everything openly and freely. You are given the highest rights to look into where the weaknesses in the information security system are.

Why is a pen test important for a company/entrepreneur?

Our goal is to find out where the vulnerabilities are. The more you know about the environment, the easier it is to identify vulnerabilities. As an entrepreneur, you want to keep as much information as possible inside the company. This information should not be accessible to outsiders, and a real attacker should be in the ‘black box’ as much as possible. For example, an error message display gives hackers information that they can use to piece together the puzzle in their plan of attack. This is happening more and more frequently, so be prepared.

Indeed, prevention is better than cure. So is a pen test a kind of security test?

A pen test is not quite the same as a security test. As an entrepreneur, you want to prevent attackers from getting in at all. Your outer wall needs to be thick enough. That is what we check with pen tests. A security test focuses more on the inside. Here, we look at the inner workings of an application or system to see whether everything is as it should be. For instance, are there any missing updates? Is the software configured correctly? Are the password settings properly applied? Do people stick to the password policy?

So security is not just about technology?

No, definitely not. It’s also about procedures and human behavior. A company can have a great policy, but if it’s not complied with, it won’t work. The basic infrastructure has to be solid. That reduces the attack surface.

Do you need to do a pen test often in order to reduce the attack surface?

It’s never a one-off thing. Depending on the risks and developments, you should have it done on a more regular basis. Technology is constantly changing, but so is the world around us. Companies often depend on third parties for certain applications and systems. These can also contain bugs. That means that pen tests have to be repeated throughout the years to find out how ‘black’ the box is for potential attackers. Entrepreneurs can use our results to improve their cybersecurity.

Credit: Lucas Vousten | PrimeGlobal