Do You Test Pens?

“Literally, what do you do all day?”

That’s a question we get from time to time, perhaps because what we do is not well understood. Well, we do pen testing.

“OK, but what is that?  Do you test pens?  That sounds boring.”

Yes, that would probably be boring. But no, we don’t test pens. Instead, we test whether your systems can be breached, or “penetrated”. That’s a long word to keep typing, and also has connotations you might find in the Urban Dictionary, so everyone just says “pen testing”.

“Got it. So what does that look like? What are you actually doing?”

Basically, we’re like auditors, but instead of looking for financial irregularities we look for security weaknesses and share those details with our customer so they can fix those before an attacker exploits them.

“Do you just hack around like an attacker might? Don’t auditors use a defined standard to audit against, that everyone agrees on?”

Well, we do think and operate just like attackers do. You need a “hacker mindset” to be able to do this well. But pen testing doesn’t produce good value if you just have a hack around. Like financial auditing, it works best in terms of bang for buck when you are methodically testing everything required by a widely accepted standard, and that’s what we focus on. That gives our customers the best confidence for their investment, and allows them to give that same assurance to their customers, prospects, governance team, and other stakeholders like regulators.

“What sorts of things should be pen tested then?”

There are different areas where security weaknesses can lead to data and privacy breaches and other bad outcomes. Broadly, these can be split into:

  • Things that are open to the public internet (intentionally, or not); and
  • Things inside your private networks that allow a successful attacker on a PC or server to see and do (exploit) way too much.

Many businesses these days have their entire business on the public internet, and many others care deeply about their online presence and reputation not being damaged. So we recommend that most businesses start by pen testing their internet connected services first. You can learn quite a lot even from a single pen test, and you can then decide what to do (and test) next.

“OK, got it. Pen testing’s obviously a lot more important and interesting than it sounds then”

It really is!  We love it, and that’s one of the reasons we’re really good at it.