Pen Test: The Why, The When and The How

Imagine it is midnight, and you already got under the covers and switched off the lights, when suddenly, you thought to yourself “Did I lock the front door?” You feel that you must have as every night for the past 40 odd years or so, you’ve locked it without fail. But tonight, there is this nagging feeling inside you that made you reluctantly get out of your comfortable bed, to check the front door.

Has this ever happened to you before?

Now, if it wasn’t locked, you can simply walk to the front door to check and lock it. Simple enough. The protection of your house can be done in a matter of a few steps. But if this “house” is in fact your business, and the “lock” is in fact the security tools you have implemented to protect your business, how sure are you that these locks on your infrastructure will work every time?

This is where a pen test comes in.

So, what is a pen test? Why does my business need one? And when and how often should I pen test?


What is a pen test?

A penetration test (or pen test, for short) is a simulation of a possible cyber attack against an IT system performed by a professional with no malicious intent.

In short, the main purpose of a pen test is to find exploitable vulnerabilities before anybody else does so that they can be patched and addressed accordingly.

To understand this a bit better, let’s take a look back at the same scenario:

In the past few weeks, the percentage of burglaries happening in your HDB flat has doubled. With your family’s security in mind, you decided to install a new lock on your front door. After the installation, you wanted to get someone to test out the new lock to see if it really works. You then asked your neighbor and good friend, Bob, to pretend to be a burglar and try to break into the house. If he doesn’t succeed, you know your new lock works wonders!

A pen test is just like this!

But then you might wonder, why on earth would I want to simulate a break-in, or in this case, a possible cyber attack? Am I crazy?

Well, let me just ask you one simple question:

Would you rather have a reliable professional try to break into your system, or have a real hacker break into it and succeed?

The answer is right in your face.


So, why do I need a pen test?

Nowadays, high-profile security breaches continue to dominate the media headlines. They are growing in numbers and complexity. It is no help either that companies of all sizes have a network presence, and that the internet has made it easier for attackers to engage with companies globally.

In the meantime, malicious hackers are also actively developing new and more sophisticated forms of attacks every single day. Therefore, this places an increasing number of businesses at risk.

Thus, having an anti-virus software and a firewall is no longer enough!

Modern businesses now require an advanced approach to security. They need to test their resistance to cyber security threats and build a highly effective defense mechanisms and remediation strategies.

So to test whether and how a malicious user can gain unauthorized access to your assets, you’ll need a professional pen testing service!

Still not convinced? Here are a few more reasons I can think of:


To Uncover System Vulnerabilities before Hackers Do

The most surefire way to measure your security level is by studying how it can be hacked.

Basically, to combat a hacker, you need to think like a hacker.

A pen test offers an ability to safely test your system’s resistance to external hacking attempts. It models the actions of a potential intruder by trying to exploit the vulnerabilities caused by code mistakes, software bugs, insecure settings, service configuration errors and/or operational weaknesses.

The main difference between a pen test and a real hack is that a pen test is safe and controlled. Moreover, the client company can pre-define the scope and timing of a pen test and be informed beforehand about any active exploitation of vulnerabilities in its IT infrastructure.

To Save Remedy Costs and Reduce Network Downtime

Recovering from a security breach can cost your business thousands or even millions of dollars!

A recent study by IBM Security found that the average cost of a data breach globally in 2018 is $3.86 million, which is 6.4% more compared to the last year’s result.

Therefore, getting everything back to its norm will require substantial investments, advanced security measures and weeks of downtime.

A pen test is hence a proactive solution to identify your systems’ weaknesses and vulnerabilities, and to prevent your business from serious financial and reputational losses.

To Preserve Company’s Image and Customer Loyalty

A cyberattack can damage a company in many ways, and not just economically.

Security attacks may compromise your company’s sensitive data, resulting in a loss of trusted customers and serious reputational damages. Hence, a pen test can help you avoid costly security breaches that put your organization’s brand, reputation and customers’ loyalty at stake.

To Develop Efficient Security Measures

A pen test usually ends with a formal document explaining and detailing all the findings. This document should contain at least two main sections: an executive summary where the tester or testers explain the process and findings in a high-level manner, and a technical summary where the more in-depth details can be explained.

The summarized results of a pen test are thus essential for assessing the current security level of your company’s IT systems. They can provide your company’s top management with insightful information about identified security gaps, their actuality and their potential impact on the system’s functioning and performance. An experienced pen tester will also present you with a list of recommendations for their timely remediation as well as help you develop a reliable information security system and prioritize your future cyber security investments.

Therefore, only a pen test can make a realistic assessment of your company’s “health” and its resistance to cyber attacks. It is able to show how successful or unsuccessful a malicious attack on your company’s IT infrastructure can be.


When should I pen test?

For once in your life, you can be a Goldilocks.

Do not start your pen test too early or too late. It has to be just right.

Some companies make the crucial mistake of starting a pen test too early on a network or system deployment. Now, when a system or network is being deployed, changes are still constantly occurring. So if a pen test is undertaken too early in that process, it might not be able to catch possible future security holes.

However, most companies do not adhere to this recommendation because they are too eager to get their return on investment (ROI) as soon as possible, or that their project has exceeded its deadline or budget. These factors thus make companies enthusiastic to push their new services live without having conducted the proper security assessments. And this is a huge risk that needs to be evaluated and put in perspective when deploying new systems.

In general, a pen test should be done right before a system is put into production, i.e. once the system is no longer in a state of constant change.


How often should I pen test?

Now, know that a pen test is not a one-time task!

Networks and computer systems are dynamic — they do not stay the same for very long. As time goes on, new software is deployed and changes are made, and they need to be tested or retested.

How often your company should engage in pen testing depends on several factors, including:

  • Company size
  • Budget
  • Regulations, laws and compliance, and
  • Infrastructure

Unsure of how to move forward from here? Click the green button to talk to us today!


eVantage Technology is a professional and trusted IT solutions provider, dedicated to providing exceptional service to companies in Singapore and across Asia.