natali_mis - stock.adobe.com

Q
Get started Bring yourself up to speed with our introductory content.

How to build an enterprise penetration testing plan

Simulating an attack against your network is one of the best ways to remediate security holes before the bad guys find them. Here, learn penetration testing basics and how it can help keep your enterprise safe.

Attempting to breach your own network, server or application may sound counterintuitive, yet that's exactly what penetration, or pen, testing is. It's also one of the best ways to identify and remediate difficult-to-spot security issues.

There are several reasons why you may want to perform a penetration test on your own business, and there are a couple of different ways to get the job done. Before jumping in, be sure to build an enterprise penetration testing plan so you know exactly what you're testing, the tools that will be used and who will be conducting the tests.

The why of enterprise penetration testing

The concept of a pen test is simple: Identify a target network, server or application and try to exploit it in some way. Testing can also investigate the world of social engineering and physical security exploits.

The goal of any pen test is to identify areas of weakness and fix them before bad actors have a chance to do the same with more damaging results. Without proper penetration testing and remediation as a safeguard, security vulnerabilities can lead to unauthorized access, data theft or denial-of-service attacks.

The who of pen testing

Who ends up performing the penetration test will vary based on your enterprise's specific pen testing needs.

Tests can be run by in-house IT staff or another common practice is to hire an outside security firm. If you're planning to perform a self-assessment, understand it may not be nearly as thorough as a third-party tester. That said, it never hurts to run in-house assessments as a supplementary procedure to a regularly scheduled test performed by a skilled external team.

The what -- tests and tools

The information provided to the test team about the target may vary from one test to another to simulate different attack angles. Additionally, tests may be run as if the attacker was directly connected to the corporate LAN -- simulating malicious behavior from an in-house employee or internally compromised device. Alternatively, the tests could initiate externally from the internet to mimic bad actors attempting to breach edge security components.

A penetration test may also consist of manual or automated methods designed to exploit potential vulnerabilities. Tools may include general-purpose applications, such as a packet sniffer, or they could be products from Nessus, Aircrack-ng and the Linux tool, Hydra, among others, which offer tools specifically engineered for pen testing and scanning. Finally, several data security vendors have created their own packages of penetration tools that can be used to automate and schedule tests administered without human intervention.

This was last published in August 2019

Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

What issues do you face when designing an enterprise penetration test strategy?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close