Penetration Testing Learning Objectives
After reading this article, you will have a better understanding of:
- The different types of penetration tests;
- The difference between penetration testing and vulnerability scanning; and
- How to evaluate vendors to select the right organization for the job.
What You Need to Know About Penetration Testing
A pen test is arguably one of the most important security assessments an organization will undertake. This simulated cyber-attack can identify critical issues that, if left unresolved, could result in a major security incident such as data exfiltration or ransomware. Not all pen tests, however, are created equal. Penetration testing service providers can take very different approaches to the same engagement. They may use the same terminology to describe vastly different services, both in terms of quality and scope, which can make it challenging when choosing between providers.
The goal of a pen test is to identify and verify the systems that can be exploited by an attacker and effectively communicate the findings and recommendations in a way that makes the remediation process as efficient as possible. In the end, the company’s data is better protected, and the job of the IT team was made that much easier. The likelihood of achieving this goal relies on the testing methodology, tools, people, communication, and reporting.
Given the importance of uncovering systems that can be exploited, and the possibility of the pen tester missing them, selecting the right service provider is an important part of the due diligence process. Before selecting a provider based purely on price, it is important to understand how different providers may approach an engagement.