Updated: Feb 6, 2020
“I’m just a keystroke away from downloading their entire database,”
said the experienced hacker. Fortunately, this was an ethical hacker - an expert penetration tester in my company performing an authorized test commissioned by a client, while carefully documenting the results to present to said client.
Unfortunately, there are plenty of bad actors who would download the “entire database” and sell or post the contents on the Dark Web or to other bad actors. Performing penetration tests is an excellent way to determine how vulnerable your systems, applications, and organizational assets are. In fact, although cyber security is truly multi-layered and multi-faceted, frequent penetration testing is a quick way to really understand what I would call infrastructural blind spots.
Clients will often call and say “I want a penetration test. “ I always make it a point to ensure we’re on the same page by ascertaining whether the client wants a mere vulnerability or web app scan, or a proper penetration test. So how would you define the differences?
Clearly stated, a penetration test is a real-world, simulated attack performed by certified and qualified engineers, using both automated and manual attack techniques. They professionally find and appropriately exploit all vulnerable attack vectors until they have exploited them all, and professionally document all findings with clear remediation advisement including multiple screen shots.
Penetration testing is a small price to pay compared to the potential $3.9 million average data breach cost*.
The book from CRC Press (when available) will share many “scrubbed” but real scenarios and the vulnerabilities that led to the findings, including tools, methodologies and conclusions.
For the real takeaways, conclusions and “meat” surrounding the chapter on penetration testing and other contributions, stay tuned! The book should be out and available by May-June of this year.
Until then, consider this: annual or semi-annual penetration testing is a small price to pay compared to the potential $3.9 million average data breach cost*.
*IBM in conjunction with the Ponemon Institute https://databreachcalculator.mybluemix.net/