Why do I need penetration testing?
Assume you have conducted a vulnerability scan on your systems and everything is coming out hunky-dory. You have ticked the check-box against security assessment and are confident that you are not prone to a cyber-terror attack. But you have done this using one or more automated tools that may be up to the mark during peace time but may be open to allowing security breaches during a clandestine attack by a determined hacker.
Real life individuals intent on wreaking havoc bring extraordinary skills to the keyboard. And their determination and patience on occasion can overcome the most robust firewall.
It is only teams of individuals whose sole intent is to seek vulnerabilities and exploit them, can actually keep your network secure. This cannot be emphasized enough. Human teams think both laterally and out-of-the-box to piece together individual vulnerabilities across various systems, to produce a gateway to enter networks – something security compliance tools cannot do. Multiple attack vectors need to be examined for the same target and proof of vulnerability against IT assets, data, or physical security should be collected. As such, penetration (or pen) testing goes beyond vulnerability testing or security compliance which identifies potential threats to the network, while pen testing exploits those weaknesses in order to derive a more robust security system.
Unless such tests are periodic, with a high frequency, one can never be certain when our network will be overwhelmed. A one-time in-depth test every year is not good enough. The human mind is ingenious and it takes an ingenious team to keep the criminally minded at bay. “This can never happen to us” is a sure-fire recipe for disaster. A post-mortem will tell us why the breach happened and along with forensic analysis, re-create the sequence of events that led to the attack – but why wait? Instead of putting in security controls to dissuade similar attacks in the future, initiate pen testing as part of a security audit – there are good individuals, teams and companies that offer this service. Choose one that works for you. Choose well.
Related Video
Manoj Rai has around 14 years of IT experience in Enterprise Applications, Mobile and Infrastructure security. Has rich and diverse global experience in leading large engagements and building deep technology expertise in security testing domain.
Manoj is a Bachelor of Engineering in Computer Science with MBA in Systems and Executive Delivery Program from IIM-Bangalore. A regular speaker on various technical subjects like Ethical Hacking, Mobile security, Secure SDLC and Cloud Security areas in CISO platforms, OWASP, BLUG, NULL etc. Has been a regular blogger and has published white papers on threat management and best practices in various social groups.
