Many self-proclaimed experts are incredible at selling a solutions or services that claim to solve all your cyber risks. Unfortunately, a magic bullet, two-birds-one-stone, or all-in-on-solutions often end up becoming inefficient, ineffective, complex, or often expensive for complete adoption.
The harsh reality is that most of your corporate risk is caused by people, specifically, that one individual who clicked on the wrong attachment, link, or simply failed to think before doing. In other cases, cyber breaches are caused by malicious individuals with intent of disrupting business operations. However, not everyone is Milton (Office Space, 1999) claiming to burn down the place if you take their red staplers, but they do exist.
Here's where a Penetration Test can identify some risk, but not all, and it's important to realize that they vary based on who conducts the test and how deep they go into your environments. For example, in the simplest analogy, think of your home, it has an outside, inside, and personal items in cabinets, drawers, closets, etc. When you install to a home alarm system they consist of motion, glass break sensors with keypads. Well that's great, but it's only protecting you from outside intruders, we call this the perimeter. Once it's breached or bypassed, think your typical user or admin with system credentials, it's often difficult to protect assets inside the home perimeter.
Often, companies believe that a firewall is the best line of defense, but as most recent cyber breaches like Equifax prove to us, a vulnerable system is always the way in for cyber criminals. This is where rinse-and-repeat comes into effect. Companies must conduct quarterly or annual Penetration Tests to help identify their weaknesses and most likely the point of attack.
However, to my earlier point, Penetration Tests can be overwhelming because everyone out there is doing them differently, and costs are all over the board. Here are some things to consider when evaluating what’s right for your company.
Determine the Type of Scan and Analysis:
Scope:
Report:
Most Penetration Tests should be repeatable, and cost significantly less than the initial one. It's similar to a personal health check, a complete annual checkup is more extensive than the normal routine appointment, they use the annual checkup as your baseline to detect any deviations in your health. Also, there's a good chance you have access to the software or hardware used during the penetration test to run a progress report.
At the end of the day, always try to focus on the need, talk to several true cyber security experts, and research before starting the work. There are too many questionable practices taking place with very little return or quality deliverables.