What is Penetration Testing and Why Should Your Organisation Use It?
Falanx views penetration testing (also known as ‘pen testing’ or ‘ethical hacking’) as: ‘a method for gaining assurance in the security of an IT system by attempting to breach some or all of that system’s security, using the same tools and techniques as an adversary might.’
Penetration testing is a core tool for analysing the security of IT systems, but it’s not a magic bullet.
Penetration testing should be viewed as a method for gaining assurance in your organisation’s vulnerability assessment and management processes, not as a primary method for identifying vulnerabilities.
A penetration test should be thought of as similar to a financial audit. Your finance team tracks expenditure and income day to day. An audit by an external group ensures that your internal team’s processes are sufficient. Equally, you should know what the penetration testers are going to find, before they find it. Armed with a good understanding of the vulnerabilities present in your system, you can use third-party penetration tests to verify your own expectations.
Our highly experienced penetration testers may find subtle issues which your internal processes have not picked up, but this should be the exception, not the rule. The aim should always be to use the findings of a penetration test report to improve your organisation’s internal vulnerability assessment and management processes.
What Will a Penetration Test Tell You?
Typically, our penetration tests are used to identify the level of technical risk emanating from software and hardware vulnerabilities. Exactly what techniques are used, what targets are allowed, how much knowledge of the system is given to our testers beforehand and how much knowledge of the test is given to system administrators can vary within the same test regime.
A well-scoped penetration test can give confidence that the products and security controls tested have been configured in accordance with good practice and that there are no common or publicly known vulnerabilities in the tested components, at the time of the test.
What Sorts of Systems Should be Tested?
Penetration testing is an appropriate method for identifying the risks present on specific, operational systems consisting of products and services from multiple vendors. It could also be usefully applied to systems and applications that have been developed ‘in-house’.
Falanx – A Trusted Penetration Testing Company
A penetration test can only validate that your organisation’s IT systems are not vulnerable to known issues on the day of the test.
It’s not uncommon for organisations to let a year or more to elapse between penetration tests. So, vulnerabilities could exist for long periods of time without you knowing about them if this is your only means of validating security.
Third party penetration tests should be performed by qualified and experienced staff only. By their nature, penetration tests cannot be entirely procedural, an exhaustive set of test cases cannot be drawn up. Therefore, the quality of a penetration test is closely linked to the abilities of the penetration testers involved.
The UK’s NCSC recommends that HMG organisations use testers and companies which are part of the CHECK scheme. Non-governmental organisations should use teams qualified under one of these certification schemes: CREST, Tiger Scheme, Cyber Scheme.
- a CHECK scheme organisation;
- a CREST member company;
- and a Cyber Essentials Certifying Body.
Penetration testing is an integral part of many regulatory and legal frameworks, including PCI DSS, Cyber Essentials, GDPR and ISO 27001. Therefore, our compliance testing services are designed to deliver penetration tests that meet or exceed each of these standards.
Why Choose Falanx?
We are Ethical: because we are in a position of trust, we don’t employ ex-hackers – we thoroughly vet and constantly monitor our staff who are also bound by the codes of conduct and practice of CREST and CHECK.
We are Pragmatic: we make sure that what you want is what you need. You can be sure that you get solutions that work within your budget and reports that properly reflect your organisation’s attitude to risk.
We are Professional: we believe that we must do more than satisfy clients – we must exceed their expectations. We assign a partner to each client to take full responsibility for your needs and the success of each project.
- Our business-focused approach means that we can talk to management as easily as we can talk to technical people.
- We combine ethical hacking techniques and commercial vulnerability scanning to provide a thorough and cost-effective service.
- Our reports offer accurate, meaningful results in a format that can be tailored to suit your organisation, addressing both management and technical requirements.
- Our post-test discussions provide clear, pragmatic guidance for remediation. We are with you every step of the journey to securing your organisation.
- We invest heavily to keep our skills current with the evolution of cyber security threats, testing techniques and emerging technologies.
- Our project management system ensures every member of staff can answer your queries easily and accurately.