Why is pen testing in demand? Well, these days, criminal hacking has become an automated process. It’s no longer a matter of if you get hacked. It’s a matter of when you get hacked. And that’s where pen testing comes in.
Increasingly, customers are asking us to test their network and application security before a hacker strikes. For example, they need to know whether sufficient encryption is employed or whether an application contains vulnerabilities or “backdoors” through hard-coded user names or passwords.
Penetration testing (“pen test”) is an attempt to evaluate the strength of an IT infrastructure’s security defenses by trying to exploit vulnerabilities via a safe and ethical means. It’s very much like an annual medical exam in which you may look and feel healthy but the doctor runs tests anyway to ensure you are not displaying symptoms of a more serious illness. Within your IT infrastructure, vulnerabilities may lie in operating systems, improper configurations, software application flaws, service flaws and/or risky end-user behavior. Penetration testing typically includes network pen testing and application security pen testing as well as controls and processes around the networks and applications. It should occur from both outside the network (trying to come in – external testing) and from inside the network.
Since the two phrases, pen testing and vulnerability scanning, are commonly used interchangeably, there is a level of confusion in the industry about what each means. The former, as I described, exploits vulnerabilities to determine whether an unauthorized or malicious activity is possible. On the other hand, a vulnerability assessment merely identifies and reports noted vulnerabilities.
Laurie Head is a co-owner of AIS Network.