Should pentest exercises be performed? Why? How often?

  • October 19, 2022

When it comes to cybersecurity, nobody is immune to the risks. Organizations of all sizes, from major international corporations like Sony and eBay to small, independently-owned local businesses, need to be vigilant about emerging threats. A common refrain throughout the industry is that there are only three types of companies: those that have been hacked, those that don’t know they’ve been hacked, and those that will be hacked.
Your business may not be hit with the $100 million+ hacks that get featured in the news, but that doesn’t mean you won’t get hit at all. In a recent poll, the average cost of recovering from a ransomware attack was $1.4 million. Even if the costs are covered by insurance, this can still be incredibly disruptive to daily operations.
The good news? When administered properly, penetration tests can help you keep these threats at bay.


What is penetration testing?

Penetration testing is a cybersecurity technique that mimics a cyber attack to identify and exploit vulnerabilities throughout an organization’s on-premise and/or cloud systems. Put simply, it is an ethical hack – rather than attempting to steal data or extort a company for money, the goal is to safely expose weaknesses so that the company can shore up its defenses.
Cybercriminals are constantly looking for ways to stay a step ahead of standard cybersecurity protocols and practices. Pen testers try to anticipate their next moves to help ensure that your web apps, mobile apps, and IT infrastructure are ready for future attacks. Some of the most important penetration testing methodologies and standards include OWASP, MASVS from OWASP, OSSTMM, and NIST.


Main pen testing types and techniques

The three main penetration testing types are black box, white box, and gray box.

  • Black Box Pen Test

Black box pen testing is a great way to test external vulnerabilities, as the tester is given no information or inside knowledge about the company (and vice versa). This allows for an authentic replication of a real-world hack without the real-world costs and implications.

  • White Box Pent Test

With a white box pen test, the organization shares information and access with the testers to speed up the process and reduce costs. This type of internal risk analysis can be a good way to test specific system vulnerabilities and expose tiny flaws in your security infrastructure.

  • Gray Box Pen Test

A gray box penetration test is a combination of white box and black box testing. Testers may be given some information, such as log-in credentials, but will otherwise be left to their own devices. This type of testing is useful for identifying what type of damage can be done after the network perimeter is breached.

The tests above can be used to test infrastructure, wireless systems, web applications, mobile applications, network configurations, and social engineering risks.
Pen testing can be administered manually or automatically. Manual tests typically yield higher results, while automatic testing enables rapid execution. Ideally, organizations should work with a reputable cybersecurity partner to implement pen testing that incorporates aspects of both.


Key pen testing benefits:

  • Assesses Cyberthreat Preparedness

First and foremost, penetration testing helps you evaluate your current protection and prepare for future (attempted) breaches.

  • Improves Organizational Awareness

Exposure to pen testing exercises will help your internal team better understand the complexities of cybersecurity in the 2020s.

  • Enhances Company Reputation

Regular penetration testing shows potential clients, customers, and investors that you take threat mitigation and data security seriously.


Is penetration testing required?

In addition to the many security benefits of penetration testing, it is also a minimum requirement for many widely used security standards and regulations, including SOC2, ISO, GDPR, and NIST.


How often should I perform pen testing?

At a minimum, pen testing should be done once a year to make sure that your network security is keeping pace with the updated tools, techniques, and technologies that threat actors are using to execute their attacks. Many of the regulations listed above (GDPR, SOC2, etc.) have specific testing requirements of their own.

Anytime you significantly alter your operations and/or security capabilities, it is advisable to go above and beyond your regularly scheduled testing to ensure that you aren’t exposing yourself to elevated risks. Adding new mission-critical applications, making major changes to your infrastructure, or opening new offices are just a few of the common situations when an additional pen test is a good idea.


Ready to take the next steps? Flugel is here to help.

Schedule a free expert consultation to discover what our pen testing specialists can do for your team today.


Written by: Francisco Cruz Caviedes
General corrections and edition: Diego Woitasen