01-10-2021
Curious how a hacker can penetrate your IT systems and what damage he can cause there? Then you have to have a pen test performed. We explain what it is, why organizations are interested in it and how to work with the results of a pen test.
What is a pen test?
A pen test – short for penetration test – is a method of testing cyber security withinan organization . For this, the help of an external pen tester is called in. Also called an ethical hacker.
This person looks at your organization from the eyes of a malicious hacker and tries to find vulnerabilities within a secure IT environment. So a threat is simulated .
Using the latest tools and methodologies, a pentester tries to expose vulnerabilities. In all possible ways and on different levels. Afterwards, he presents his findings in a pentest report .
Why have a pen test performed?
To protect yourself as an organization against attacks by hackers and cyber criminals, you must of course first know where your weaknesses are . Simulation of an attack by means of a pentest maps out where the weaknesses lie within an organization. You can then get started on strengthening these vulnerabilities.
Three types of pen tests
Within the world of penetration testing, we distinguish between three different types of testing. Each has its advantages.
Black box pentest: Most closely resembles a real threat. The pentester does not receive any information in advance about the (security within an) organization. He gets, as it were, carte blanche to detect vulnerabilities. Often a scope is discussed in advance and it is necessary to stay within a certain budget. This is a good method to get a general picture.
White box pen test: All information about the cyber environment is shared in advance. All code and documentation is transparent, after which a pen tester searches for vulnerabilities in a targeted manner. This takes a lot of time, so that often only a small part of a system is tested. For example, consider the security of a single API link.
Gray box pentest: Some information is shared in advance, but not everything. For example, this test simulates a well-informed (but malicious) customer or employee within an organization.
Things to take into account
A pen test is a good way to detect potential threats. However, it is not wise to do a pen test every now and then and not to look at your cyber security anymore. There are several reasons for this:
Hackers are becoming more and more inventive. A new method may emerge today to circumvent security that was not an issue yesterday. It is therefore good to realize that a pentest is only a snapshot . The results expose vulnerabilities that are present now, but offer no guarantee for the future.
A pentest report shows all possible threats. Also vulnerabilities that don't matter at all. Therefore, always keep a critical eye on the results: what can a hacker really do when he is given access? For example, being able to download public documents should not be a problem.
Don't forget to ask yourself: what am I actually trying to protect? And what is the threat against what I am trying to protect? Because only then do you know which vulnerabilities you need to tackle as a priority. It also helps to determine the scope of a pen test.
Look beyond the pen test!
Pen testing is a great way to see your organization through the eyes of a hacker. A good penetration tester will always find vulnerabilities that you can use immediately. But is it necessary ?
As you have read, there is more to consider. A pentest is a snapshot of the vulnerabilities within an organization. It does not look at possible threats or what the consequences are of a security breach. And it also only looks at the present, not the future.
In short: by having a pen test done, you only know which vulnerabilities your organization has. Not whether this actually poses a threat.
Also map out the possible threat
Critical assets, vulnerability and threat are the three components of cyber risk. A pen test only deals with the first of these two, while at MMOX we also look at the threat. What do you really need to protect your systems against? What has priority? MMOX helps organizations to clarify which vulnerabilities there are, but also which ones need to be addressed.
By means of the latest technology, monitoring, insight, targeted advice, incident response and insurance, we minimize the cyber risk among entrepreneurs in the SME+.
Nederland heeft een uitstekend ondernemersklimaat en een sterke internationale concurrentiepositie. Digitalisering is een belangrijk onderdeel hiervan. Een randvoorwaarde hierbij is dat ondernemers digitaal weerbaar zijn en hun digitale veiligheid op orde hebben. Het ministerie van Economische Zaken en Klimaat (EZK) heeft daarom in 2018 het Digital Trust Center (DTC) opgericht.
TLF Cyber
TLF Cyber is the technology activity of MMOX and Nucleon. Here we develop the unique software platforms that are indispensable to implement risk-based cyber security. TLF Cyber also supplies the technology to other managed service providers who want to actively support their customers with their own Managed Service. www.tlfcyber.com
ABN AMRO
ABN AMRO Bank NV is the well-known Dutch bank for SMEs. ABN AMRO made the strategic choice to always be a relevant bank for its corporate clients. That is why the service portfolio is constantly being expanded. For example with Cybersecurity. ABN AMRO provides the MMOX Smart service under the name Cyber Safe and Secure
MMOX
MMOX is a specialist in Cyber Threat Management and recognised early on that cyber security specialists benefit greatly from working more effectively. MMOX' goal is to provide clear, fact-based insights into cyber threats. By using new methods and extensive automation, we offer relevant and up-to-date information about this threat. This enables our clients to work faster, more effectively and with a more extensive context. New insights and new opportunities to significantly reduce Cyber Risks. www.mmox.co
NN
With over 5 million private and corporate clients, Nationale-Nederlanden is one of the largest and leading financial service providers in the Netherlands. Nationale-Nederlanden offers a complete range of products including insurance, pensions, blocked bank savings, savings, mortgages, investments and loans. The combination of expert and committed employees, good products and services and an appropriate price/quality ratio enables us to find the best solution for you, our clients.
Hiscox
Like no other, they specialise in insuring independent entrepreneurs in professional services. You notice this through our fast and always correct claims handling. But especially through the service, which is entirely based on one principle: they solve problems for you. After all, after a damage, you already have enough on your mind. It is a way of doing business and thinking along that is as pleasant as it is correct.