With advances in technology comes more risk to network systems, especially systems that protect customer’s confidential data or sensitive company data that could be used to cause harm to the company, its customers or its clients. Security is of the utmost importance for companies that deal with such data, but many companies implement great security systems, but then make the mistake of just leaving it alone. Vulnerabilities are found frequently, and security systems must be maintained to ensure that they are secure from all vulnerabilities. This is where a penetration test can be most useful as it tests the very core of your security system to find out exactly how secure your system is and how secure the data is that your company is protecting.
What is a penetration test?
A penetration test is an authorized attempt to exploit vulnerabilities or find weaknesses that can be used to gain access to company networks. There can be a variety of levels of penetration testing including having the tester use a list of commonly known exploits and moving up to custom-made exploits that could be used by hackers to gain unauthorized access to the system.
The penetration test not only ascertains which vulnerabilities your company has but also which networks, systems and data are at risk of being breached and accessed through specific vulnerabilities.
The penetration tester starts testing on areas of the system that are low priority and may not have as strong security as other more sensitive areas. If a vulnerability is found and able to be exploited at the lower level, the tester will attempt to use this breach to access the more sensitive areas that may contain confidential company data.
Most companies implement security measures which include vulnerability scans. However, these scans cannot compare to a hacker with a variety of sophisticated cracking equipment at his disposal. When a penetration test is performed, it is an exact replica of a hacking situation. Vulnerability scans give you possibilities while a penetration test gives you exact details and pinpoints the exact vulnerabilities which need to be patched.
There are a variety of ways to perform the actual penetration test. Some IT departments have their own specific structuralized protocols that they follow. Some companies, especially smaller companies that cannot justify the costs of a full-time IT staff, hire an IT security consultant who brings his range of knowledge and experience to the table. This provides the experience of someone who has the same knowledge as an actual hacker, so his penetration test will be much more likely to find the vulnerabilities that a typical vulnerability scan will not. The reason for this is that the consultant is able to change his process depending on a number of factors including the type of system, what kind of testing is required, the priority level of each area, and the difficulty level. No matter what process the consultant uses, there are a number of common factors that must be determined such as defining the ultimate goal, collecting information, test planning, finding and defining vulnerabilities, exploiting the vulnerabilities and filling out a report of all activities that took place during the test.
Vulnerability prevention
Security systems should be tested for vulnerabilities that can be used to exploit a flaw to penetrate a system. By performing penetration testing, companies can determine exactly what kind of security they have, and if there are any vulnerabilities that could be exploited by hackers to gain unauthorized access to the company’s system. Each time a vulnerability is discovered, it must be determined if the vulnerability poses a credible threat and if it is real, or if it is a false alert. If the vulnerability is determined to be real, it should be determined if it can be exploited to gain access to the system or cause other harm to the company. If the vulnerability can be exploited, is any of the company’s confidential data at risk from the exploit? Once the above issues have been determined and the vulnerabilities have been identified, the real work of patching the vulnerability begins. It’s a much more efficient process when you know exactly what specific vulnerabilities need to be patched rather than randomly patching multiple possible vulnerabilities that may pose no threat at all. The penetration test is fast and pinpoints the exact threat to your system so it can be closed quickly, before a hacker discovers the vulnerability and is able to exploit it on your system.
A quick look at ROI
When determining if the cost for a penetration test can be justified for your company, you must determine the Return on Investment (ROI). The simplest way to explain ROI is when you invest money into something so that over a length of time you will make more money in return. If you invest $250K into a project, you want to know how long it will take before you get you money back, as well as the additional amount that will be profited from this venture.
When you invest money into a project, you should determine what the Payback Period will be. This is the amount of time it will take for the project to get you the amount of your investment back, plus an additional cash flow. The total profit, or benefit, of the investment is called the Net Present Value (NPV). However, when it comes to a penetration test, the typical calculations do not apply as you cannot show a literal amount of savings from prevention methods. If the penetration test is conjoined with another project that does generate revenue, and requires a penetration test in order to achieve its goals, then ROI can be determined.
A penetration test delivers results that show potential risks, flaws, threats and vulnerabilities within the system and can pinpoint the proper methods to patch the flaws and eliminate the risks to Information Assets (IA). This is why it’s good to have knowledge of the company IA and how to place a value on them. Many companies already have placed a value on their IA, which makes it easier to determine the value of a specific asset and determine the loss value that the company could acquire by comparing the cost of the loss with the cost of the loss prevention.
The determination of the specific asset should be determined by collaboration between IT staff and management. This collaboration should involve calculating the ROI, the Payback Period estimation and the NPV. This way, the cost of a potential loss if a security breach were to occur can be determined.
Benefits and savings
One of the most basic benefits of a penetration test is for your own peace of mind, so that you will have proof that your security is strong enough to resist sophisticated attacks by hackers. By integrating these tests into your current security system, you can perform frequent tests to ensure that your security system is still up to par. This also helps customers retain confidence in your ability to keep their data secure and helps keep your image up. Even one security breach can cost a company a large portion of their customer database, as well as cost the company potential future customers.
If IT has recommended security upgrades or additional security products or services such as IDS and IPS, but you aren’t sure if the additional upgrades can be justified, a penetration tests can confirm this justification and let you know if you are getting the promised ROI.
There are several ways to determine exactly what savings an automated penetration test has to offer. If your penetration test is automated, this reduces the need for your staff to spend time performing them and more time to concentrate on threats that pose a real risk to your system. Let’s say that one IT tech makes $90,000 and spends around 10% of his time dealing with threats that don’t really pose a real risk. This cost of $9,000 can turn into a potential savings of $9,000. If your penetration test is manual, you should determine how many hours security managers and staff are spending performing the tests and the total cost of all these hours. You can calculate the savings that switching from manual testing to automated penetration tests offers. Let’s say for example that an IT security tech makes $90,000 annually and spends around 20% of his time performing penetration tests. Your current annual cost of $18,000 turns into an annual savings of $18,000 once you switch to automated penetration testing.
If a breach of security was to occur, the results can be devastating and the restoration costs can be high. The estimated costs can be determined by adding all the costs of IT department restoring service, patching vulnerabilities and eliminating the threat, to the revenue loss and employee absence due to system downtime. The estimated damage from a security breach can run anywhere from $100,000 to millions of dollars depending on the size of the company and severity of the breach.
The final benefit is compliance with industry regulations including HIPAA, PCI, GLBA and more. The penalties for such violations vary from fines to criminal penalties including fines of millions of dollars and in some cases, jail time. By implementing automated penetration tests, you stay up to code with logs that prove each and every test that was performed and when it was performed. Another measure to combat losses and gain compliance (or compliant plus), is to get security insurance. This can cover losses if a successful security breach occurs but there are a number of factors involved. The company must have specific security measures implemented and must adhere to safety and loss prevention methods. Depending on the insurance, penetration tests may be a requirement for the company to be able to file a claim if a security breach is successful.
ROI and risk prevention
Depending on how your company views penetration tests, they may be viewed as ROI or simply as a risk prevention tool. The penetration test informs the company what safety measures need to be implemented, upgraded or changed. If you are calculating the cost, you must determine the costs of purchasing new safety tools, the cost of installing the new measures, the cost of maintaining the new security and the cost of support. If you would rather view the test as risk prevention, the test results can be used to determine the risk factor by analyzing the vulnerabilities and what kind of risk the company is at if those vulnerabilities are exploited.
The security of your system is essential, your company data, as well as the data of your customers and clients, depend upon it. Stay compliant with industry regulations and schedule automated or frequent penetration tests to keep your system a step ahead. New vulnerabilities are found all too frequently and without frequent penetration tests, it may be a hacker that discovers the vulnerability in your system instead of an IT security consultant.