Don’t Start With a Penetration Test

Share on facebook
Share on twitter
Share on linkedin
Share on email
Contents

As a provider of cybersecurity services, we are often asked by organizations to conduct network penetration tests (also known as Pen Tests for short). While the requests are well-intended, there are some specific reasons why doing a Pen Test before other security measure is not advised.  This is especially true in organizations that are just starting to build a more comprehensive cybersecurity strategy.

What is a Penetration Test?

In simple terms, a penetration test is where an experienced security professional attempts to gain access to secure areas of an organization’s network.  This is done by using both automated tools and manual exploitation.  There are many factors that determine how the test is performed, what it uncovers, and how much it will cost.  These include that amount of time you’d like the tester to spend trying to break in, how much information you are willing to share with the tester in advance, and how many different systems you’d like the tester to attack. 

When is it Time for a Penetration Test?

The penetration test is an essential part of an organization’s security strategy, but most security professionals agree that it should only be performed after a thorough security assessment of the network infrastructure is completed.  A well-executed security assessment that includes vulnerability scanning will identify the vulnerabilities that could allow a cyber-criminal to gain access to sensitive data in the first place.  It finds outdated operating systems, unpatched network equipment, active accounts that haven’t been used, improperly configured network settings, and much more.  Ideally, vulnerability scans should be done at regular intervals (i.e. monthly or quarterly).

Once a security assessment is complete and all vulnerabilities have been remediated, the Pen Test is performed to provide further evidence that the network is secure.  Doing things in this order ensures that organizations are being tested against their strongest security posture, not their weakest.

For more information about any of our cybersecurity or consulting services, please feel free to contact us any time. 

Share with Your Network

Share on facebook
Share on twitter
Share on linkedin
Share on email

Get M.A. Polce's IT & Cybersecurity Insights Delivered Directly to Your Inbox.

Subscribe to receive weekly digest emails so you never miss a beat.