FAQs Archive

Q: What is a penetration test?

A penetration test , also known as a “pen test” is a method for evaluating the effectiveness of an organization’s security controls. Testing is performed under controlled conditions, simulating scenarios representative of what a real attacker would attempt. When gaps are identified in a security control, a penetration test goes beyond basic vulnerability scanning to determine how an attacker would escalate access to sensitive information assets , confidential information, personally identifiable information (PII), financial data, intellectual property (IP) or any other sensitive information. Penetration testing utilizes pen test tools and techniques, guided by a disciplined and repeatable methodology, resulting in a report containing detailed findings and recommendations that allow an organization to implement counter measures and improve the security posture of the environment. These improvements ultimately reduce the likelihood an attacker could gain access. Consider an ongoing Penetration Testing program to assess your safeguards throughout the year for a proactive security approach.

Q: Is pen testing disruptive to our environment? Will our systems go down? What is the pen testing plan?

If the pen test is not properly planned and coordinated, it can be disruptive. This is why it is imperative that the planning is done properly, and comprehensively, to identify potential risks for disruption and adjust the approach accordingly. This planning should be conducted well in advance of any testing start date in order to ensure adequate time for communication to project stakeholders. The communication and monitoring should continue throughout the pen testing schedule. “…the PEN test went well, and business was not affected by it, which is very important during our busy season.” - Logistics and Freight Transportation company

Q: How is the scope of a penetration test defined?

Collaboratively, the scope of a penetration test should always be customized to suit the unique nature of the business and understanding of their risk profile . A variety of considerations, both internal and external to an organization, impact and guide the scope of a penetration test: The nature of the business and types of products/services offered Compliance requirements and deadlines Geographic considerations Organizational structure The organization’s strategic plans Customer expectations, especially when an organization acts as a custodian of that customer’s data The value of the company’s assets Redundancy in the environment that may impact sampling thresholds Network segmentation and connectivity The age of different components of the environment Recent or planned changes to the environment All of these factors need to be discussed and understood to make sure that the scope is appropriate and to ensure that the testing is focused in the areas of the environment that warrant it.