The penetration test is quite simply an authorised and pre-emptive way of determining the security level of an IT infrastructure through attempting to exploit a number of vulnerabilities of the system including but not limited to; the operating system, application flaws, configurations and potential end-user behaviour that could pose risk. It is only by carrying out such tests that developers can assess the efficiency of their defensive mechanisms and allows for coherent end-user security policies and agreements to be written.
Typically these tests are performed manually by an in-house security technician or an independent security consultant service with the help of automated technologies designed to simultaneously attack the network, its devices, servers, applications and other points of weakness all at once. If any such vulnerable area becomes compromised then technicians can attempt to penetrate further into the system to see what else could potentially be exploited. This information is then collated and presented to IT and network managers to advise department heads and other professionals make informed decisions on how to protect their infrastructure and where priorities for such areas should lie.
It may seem to those who are uninformed like a lot of work for very little yield however this is certainly not the case. In a study performed in 2014 it was concluded that a data breach results in an average direct financial loss of $3.5million to the affected company; this includes the financial effects of negative press, loss of customers as well as legal fines and penalties, not to mention the value of the data lost.
There is no hard and fast rule as to when penetration testing should be performed however it is strongly advised that they be run on a regular basis to ensure consistent network management and to discover and remedy new threats and vulnerabilities before they are exploited by attackers. Further to this it is advised that penetration tests should be performed whenever; new network infrastructure added or altered, new office or network locations are established, new security patches have been applied and if end-user policies are modified.
Not only does penetration testing allow network managers to efficiently deal with vulnerabilities and associated risks, it can add profit to an organisation by reducing periods of network down-time for maintenance, helps to avoid fines and the associated costs should a data breach occur and helps to preserve customer loyalty. All in all it is something that every business should have in their arsenal.