Frequently Asked Questions
CyberBullet helps businesses stay safe with technology across various industries. IT security is an ongoing issue that continues to evolve constantly. Most of the questions we receive are related to cybersecurity, cyberattacks, and data security. Our team has put together answers to some of the most common questions we get about cybersecurity for businesses.
A penetration test, also known as a “pen test” is a method for evaluating the effectiveness of an organization’s security controls.
Testing is performed under controlled conditions, simulating scenarios representative of what a real attacker would attempt. When gaps are identified in a security control, a penetration test goes beyond basic vulnerability scanning to determine how an attacker would escalate access to sensitive information assets, confidential information, personally identifiable information (PII), financial data, intellectual property or any other sensitive information.
Penetration testing utilizes pen test tools and techniques, guided by a disciplined and repeatable methodology, resulting in a report containing detailed findings and recommendations that allow an organization to implement counter measures and improve the security posture of the environment. These improvements ultimately reduce the likelihood an attacker could gain access.
If the pen test is not properly planned and coordinated, it can be disruptive. This is why it is imperative that the planning is done properly, and comprehensively, to identify potential risks for disruption and adjust the approach accordingly.
This planning should be conducted well in advance of any testing start date in order to ensure adequate time for communication to project stakeholders. The communication and monitoring should continue throughout the pen testing schedule.
It depends on who you ask; you shouldn’t put a lot of stock into these since no industry accepted standard for these terms exist. For example, the approach of the test may be referred to as “Ethical Hacking” (implying legitimacy of the approach), “Black Box Testing” (implying a covert, unassisted, test), “White box Testing” (implying an assisted, non-covert test), or any variety of shades of gray along the way.
These are terms cleverly used for marketing purposes and should not be considered when forming a basis of the qualifications of the test team. When selecting a team to perform the test, the company should focus on the credentials of all team members on the project, their experience, peer references from those that have worked with them, and ultimately that their approach and methodology is industry accepted. These characteristics are what matters to ensure a test is performed safely, comprehensively, and can be relied on.
In the ever-changing world of cyber security, new terms and names are continually being invented to describe a penetration test. Our recommendation is to call a “penetration test” by what it is…a “penetration test”.
Goals of a penetration test vary greatly based on the scope of review. Generally speaking, the goal of a penetration test is to validate the effectiveness of security controls designed to protect the system or assets being protected.
A Penetration Test should always document the goals of the project. Penetration Test reports and deliverables outline the expectations, scope, requirements, resources, and results.