“I’m just a keystroke away from downloading their entire database,”
said the experienced hacker. Fortunately, this was an ethical hacker - an expert penetration tester in our company performing an authorized test commissioned by a client, while carefully documenting the results to present to said client.
Unfortunately, there are plenty of bad actors who would download the “entire database” and sell or post the contents on the Dark Web or to other bad actors. Performing penetration tests is an excellent way to determine how vulnerable your systems, applications, and organizational assets are. In fact, although cyber security is truly multi-layered and multi-faceted, frequent penetration testing is a quick way to really understand what I would call infrastructural blind spots.
Clients will often call and say “I want a penetration test. “ I always make it a point to ensure we’re on the same page by ascertaining whether the client wants a mere vulnerability or web app scan, or a proper penetration test. So how would you define the differences?
Clearly stated, a penetration test is:
A real-world, simulated attack performed by certified and qualified engineers, using both automated and manual attack techniques. They professionally find and appropriately exploit all vulnerable attack vectors until they have exploited them all, and professionally document all findings with clear remediation advisement including multiple screen shots.
Penetration testing is a small price to pay compared to the potential $3.9 million average data breach cost*.
My book from CRC Press shares many “scrubbed” but real scenarios and the vulnerabilities that laed to the findings, including tools, methodologies and conclusions. (See https://www.routledge.com/Testing-and-Securing-Web-Applications/Das-Johnson/p/book/9780367333751)
True penetration testing - annual or semi-annual - is a small price to pay compared to the potential $3.9 million average data breach cost*.
*IBM in conjunction with the Ponemon Institute https://databreachcalculator.mybluemix.net/