What is it?
Authorized testing of a computer system or network with the intention of finding vulnerabilities. Also called pen testing.
Why is it important?
A cyberattack can harm not only your organization, but also customers, partners, employees, and vendors. Penetration testing can reveal vulnerabilities, suggest improvements to your systems, and reduce risk for your organization. In addition, penetration testing is encouraged and even required by certain industry standards.
Why does a business professional need to know this?
Cybersecurity experts use automated penetration test tools to scan network resources and find vulnerabilities. They use another toolset to hack into any vulnerable resources they find. Testers employ tools to monitor or map networks, spy on web traffic, scan systems or apps for weaknesses, and crack passwords.
Exploiting vulnerabilities differentiates penetration testing from merely assessing security. A white-hat attack gives administrators hands-on experience at defending their system and identifying the methods an attacker might use. The result of penetration testing is usually a report describing vulnerabilities in the system or in security policies. Rather than just proving whether a system can be hacked, a penetration test report explains how to improve the system and reduce risk for the organization.
Penetration testing is required by the Payment Card Industry Data Security Standard (PCI DSS). It also meets the requirement for a vulnerability assessment under ISO 27001, the ISO standard for information security management systems.
Penetration testing is recognized by many organizations as a best practice, even when it is not externally required. For example, in 2016, the US Department of Defense (DoD) invited hackers to probe Pentagon computers. More than 1,000 hackers signed up. They found more than 100 bugs and were paid tens of thousands of dollars in reward money. The DoD has since duplicated the experiment with Army systems and DoD web resources, with similar results.
You will never hear a news story about penetration testing that prevented a breach. The objective of penetration testing is to combine the wisdom of people with effective tools to proactively scan an environment for weaknesses. When done properly, weaknesses identified by penetration testing are scheduled for remediation as soon as possible based on the potential impact of the weakness.