If you have been tossing in sleep worrying over data threats and breaches, the thought of penetration testing has definitely crossed your mind or bumped your way by now. But do you really know the what’s and how’s of penetration testing, or is it just the buzzword that’s caught a fair bit of your attention. Are you aware on how exactly a Penetration Test fits into your Information Security program?
Penetration testing provides an in-depth threat and vulnerability analysis of your system. As an elaborate exercise, there are certain assessments and understanding that need to be clarified before getting on to it. Pen-tests, or as they are more commonly called, come in three variations:
It is important to note that Pen-Testing is very different from Vulnerability Scanning or an Internal Security Assessment. Vulnerability scanning simply looks at identifying vulnerabilities using automated tools and Internal Security Assessment is an intensive audit of the existing security paraphernalia. Pen-Testing on the other hand is a real time simulation of a realistic scenario with real experts. Instead of just looking for potential vulnerabilities, Pen-Test gets closer to reality with ethical hacking.
What does a Penetration Test address – the acid test of the effectiveness of your security system. It helps you uncover:
How to do penetration testing – A Pen Test exercise can be carried out based on three different methodologies:
Black Box Testing: This approach typicallycorrelates to external penetration testing, where hackers access the network infrastructure without a view into internal technologies. As the name suggests, this testing shoots into a dark room from an outsider’s perspective. This is advisable for evaluating IT department response and countermeasures against a breach attack.
White Box Testing: This relates with internal penetration testing where auditors are given full visibility into internal technologies and internal infrastructure. This is a thorough level of testing that requires full cooperation of the internal security teams with the audit team.
Gray Box Testing: Evolved as a mix and balance of Black Box and White Box testing where auditors have limited knowledge of internal infrastructure. This approach supplements a Black Box test to reveal vulnerabilities and identify weaknesses. It lets the auditor get a dual perspective of an external attack as well as any internal illegitimate threat.
Each of these three approaches have pros and cons. While the White Box approach is more comprehensive, it is sort of removed from real-world attacks. On the other hand, the Black Box approach is less complex and less comprehensive. As a mix of the two, the Gray Box approach seems to work better logically, but every company needs to choose the most appropriate approach based on specific business needs and compulsions.
Now the final question that remains is, when is the right time to do a Pen Test? This is a relative aspect and it varies from business to business, team to team, application to application. There are various aspects to keep in mind when deciding on the right time for pen testing. More on that coming up soon….
ABOUT HAPPIEST MINDS
Happiest Minds enables Digital Transformation for enterprises and technology providers by delivering seamless customer experience, business efficiency and actionable insights through an integrated set of disruptive technologies: big data analytics, internet of things, mobility, cloud, security, unified communications, etc...