Penetration testing (also called pen testing or ethical hacking) is a systematic process of probing for vulnerabilities in your networks and applications.
It is essentially a controlled form of hacking in which the ‘attackers’ act on your behalf to find and test weaknesses that criminals could exploit.
The penetration testers’ report can then inform your choice of cyber security controls.
Vulnerabilities that cyber attacks could exploit might result from:
Poor or improper configuration;
Known and unknown hardware or software flaws; or
Operational weaknesses in processes or technical countermeasures.
Experienced security professionals will mimic the techniques used by criminals,
but without causing damage, enabling you to address the security flaws that leave your organisation vulnerable.
Why is penetration testing important?
Conducting a security assessment to identify vulnerabilities in your computer systems is essential to your organisation’s security. An automated vulnerability assessment can give you valuable information about your security status, but cannot give you a proper understanding of the security issues you face. Only a penetration test carried out by a trained security professional can do that. New cyber security vulnerabilities are identified – and exploited by criminals – every week. Previously patched vulnerabilities can also be reintroduced as your infrastructure or applications change over time. To protect yourself, you should regularly conduct security testing to:
- Identify security flaws so that you can resolve them or implement appropriate controls
- Ensure your existing security controls are effective
- Test new software and systems for bugs
- Discover new bugs in existing software
- Support your organisation’s compliance with the EU GDPR (General Data Protection
- Regulation) and DPA (Data Protection Act) 2018, and other relevant privacy laws or regulations;
- Enable your conformance to standards such as the PCI DSS (Payment Card Industry Data Security Standard)
- Assure customers and other stakeholders that their data is being protected.