Here at CBTS, we do quite a few pentests every year. I’ll note for my readers that the term is an abbreviation for penetration tests. It’s funny how many folks think the “pen” is an acronym and spell it as “PEN test,” so let your friendly neighborhood pentester set you straight:
Penetration test = 🙂
Pentest = 🙂
PEN test = 😔
So what is a penetration test? Why does it sound so menacing and borderline inappropriate? Let me explain by referencing 1950s aerospace engineering.
In the 50s, fleets of aircraft were in use all over the world, but facing a dangerous problem: running into birds in midair. This led to technical advances in building new windshields and new engines, but engineers needed to ensure that their designs would satisfy their requirements. So how do you make sure your windshield stands up to a bird hitting it? You hit it with a bird!
This is how the “chicken gun” was born: a compressed-air cannon that would fire a dead chicken into a target. Over the following decades, several aircraft manufacturers developed these tools as a way to test the resilience of their safety measures.
Think about how much effort you put into defending your organization and computing environments from attacks. You stack up security software on your endpoints, place box after box in a pile between your users and the Internet, write pages of policy—but are you actually sure those defenses and controls will stop the threats about which you are concerned, beyond what they promise on paper?
A penetration test is ultimately the only way to make sure.
The bottom line is, if you want to know if your organization’s security strategy will truly stop your threats, a penetration test is essential. As the great philosopher Mike Tyson reminds us, “Everyone has a plan until they get punched in the mouth.”
There’s a fear aspect, with leadership and technical folks uneasy with the idea of someone using attacker tools on them, to which we say: Attackers are out there, and they’ll use their tools, whether you’re comfortable or not, so let some friendly faces do it first and tell you how to fix what they found.
There are also budgetary challenges as it can seem extravagant to spend money on an assessment like this. Again, we would say that you’re going to incur cost if your defenses fail to stop an attacker and it may be much more substantial than the cost of the test. The cost of lost business, fines, ransom payments, legal fees, brand impact, and the like can stack up pretty quickly.
If you’d like to learn more about penetration tests, and specifically what a test designed for your business and environment would look like, we’d be happy to dream up one with you. We’ll leave the chickens at home!