As a provider of cybersecurity services, organizations often ask us to conduct network penetration tests (also known as Pen Tests for short). While the requests are well-intended, there are some specific reasons why doing a Pen Test before other security measures are not advised. This is especially true in organizations just starting to build a more comprehensive cybersecurity strategy.
What is a Penetration Test?
In simple terms, a penetration test is where an experienced security professional attempts to gain access to secure areas of an organization’s network. This is done by using both automated tools and manual exploitation. Many factors determine how the test is performed, what it uncovers, and how much it will cost. These include how much time you’d like the tester to spend trying to break in, how much information you are willing to share with the tester in advance, and how many different systems you’d like the tester to attack.
When is it Time for a Penetration Test?
The penetration test is an essential part of an organization’s security strategy. Still, most security professionals agree that it should only be performed after completing a thorough security assessment of the network infrastructure. A well-executed security assessment that includes vulnerability scanning will identify the vulnerabilities that could allow a cybercriminal to gain access to sensitive data in the first place. It finds outdated operating systems, unpatched network equipment, active accounts that haven’t been used, improperly configured network settings, and much more. Ideally, vulnerability scans should be done regularly (i.e., monthly or quarterly).
Once a security assessment is complete and all vulnerabilities have been remediated, the Pen Test provides further evidence that the network is secure. Doing things in this order ensures that organizations are tested against their strongest security posture, not their weakest.