Information technology solutions company Vertikal6 held a free webinar recently for the Rhode Island Manufacturers Association on penetration testing, and why it’s important for manufacturing and other industries.
Rather than instituting cybersecurity measures without a plan, this kind of testing gives companies a road map of sorts, said Vertikal6 senior consultant and Virtual Chief Information Officer Meredith Carroll. As Carroll told PBN, it’s only one kind of testing recommended for companies but plays an important role.
PBN: What is a simple definition of penetration testing?
CARROLL: Penetration testing, or pen testing, is an authorized exercise to evaluate if a system or device can be breached using a series of known tests. This may include looking for open ports on a firewall, attempting access to a system using standard usernames and passwords, or known vulnerabilities.
The goal of a penetration test is to evaluate the overall security of the system. Penetration tests can be white box, where the tester has information about the configuration of the system being tested, or black box, where the configuration is unknown to the tester. The results of a pen test are then used to further secure the system that was tested.
PBN: How do internal and external pen testing differ?
CARROLL: An external pen test evaluates systems that are exposed to the internet, while an internal pen test is conducted on systems that are behind an organization’s security perimeter. An internal pen test generally refers to systems that are protected by the firewall.
PBN: How is pen testing different from a vulnerability assessment?
CARROLL: In conducting a pen test, systems are subjected to active attack testing, such as man-in-the-middle attacks, spoofing, or using exploit kits that can step through known vulnerabilities to access sensitive data or gain elevated privileges.
Vulnerability assessments are a passive exercise in which no traffic patterns, files, or attributes are changed. A vulnerability assessment determines if systems have missing patches, open ports or weak defenses. A pen test may include this but takes it a step further with the active attack phase.
PBN: In a perfect security scenario, would companies commit to all three, internal and external pen testing and vulnerability assessment?
CARROLL: Ideally, yes, organizations would conduct all three types of assessments. That said, organizations should evaluate the resources that require protection and the risk associated with those resources. From there, a determination would be made about what types of security assessments are needed. For organizations that must comply with standards such as [Health Insurance Portability and Accountability Act, Payment Card Industry Data Security Standard, National Institute of Standards and Technology, or General Data Protection Regulation], overall security assessments designed for those compliance types are recommended.
PBN: Is it preferable to have an outside cybersecurity company perform these tests, and if so, why?
CARROLL: It is always recommended to have an objective third party perform an assessment, as they do not have a stake in the outcome. At Vertikal6, we encourage our managed-services clients to engage with a separate security vendor so that there is an independent review of the work that we are doing.
Susan Shalhoub is a PBN contributing writer.
