Penetration testing is all about quantifying risk of a security incident, data breach or network compromise. A good cyber security company should perform assessment of both external network exposure and internal network infrastructure. In addition, there is no standard solution that works for every client and an effective pen test plan should be tailored to address specific client needs and should provide the highest return on investment.
Pen Testing Coverage
Any penetration testing engagement should include internal and external networks. External network testing usually involves network infrastructure including but not limited to:
- Web and Email Servers
- Content Delivery Network
- Virtual Private Network (VPN)
- Hardware components including Modems, Routers and Network Switches
- RDP (Remote Desktop Protocol)
Internal Networks pen testing does include some similar components but there are some distinct differences as well.
- Workstations, Laptops and Tablets
- Internal network components such as Routers, Switches, & Other Network Hardware
- Wireless Network and hardware
- Printers, Scanners, Fax, etc.
Should You Use Automated Testing Tools
Depending on the network size and pen test scope, penetration testing could get complex fairly quickly. In order to improve testing efficiency and reduce overall cost of pen testing, often times it is easier to automate certain tasks using software tools. There are quite a few commercial pen testing tools available. It is essential to understand that automated pen testing without any human override and supervision isn’t going to be very effective. Manual penetration testing leverage professional expertise of industry experts on top of automated testing tools. Manual pen testing provides comprehensive coverage and reduces number of vulnerability points.
Penetration Testing Methodology
Every cybersecurity company uses its own methodology since cyber security procedures and testing aren’t standardized to the level where a common procedure can be adopted. In addition, every client is different. A large corporation with hundreds of locations has very different penetrating testing needs than a small IT vendor interested in pen testing to gain compliance with vendor assessment procedures. Regardless the scope and size of penetration testing, number one priority is to identify all vulnerabilities and risks. It is also essential to understand that pen testing is not performed by sampling – picking and choosing random systems and locations. If a client requests penetration testing, every single system and location should be included in the scope. The penetration testing is an attempt to expose security vulnerabilities and weaknesses enterprise wide.