Penetration testing is the method of simulating a real-world cyber-attack on either infrastructure, an application or sometimes even on your staff. This test is strongly advised, even compulsory in some cases, as part of many security-related standards such as PCI-DSS or ISO27001. The main objective of a penetration test is to gain assurance that your systems are secured appropriately, and that these systems will hold up against an attacker.
Penetration testing is typically separated into a number of attack categories; infrastructure testing, web application testing, social engineering testing or phishing simulations. These categories are designed to capture different information during the engagement and focus on different areas within your business. Both the infrastructure and application tests are solely focused on finding vulnerabilities or misconfigurations which may allow an attacker unauthorised access. Conversely, social engineering focuses on staff-oriented attacks that aim to find weak links to determine areas that an attacker could leverage for information, access or an attack avenue.
IT Governance have posted guidance on penetration testing, and strongly advise that you conduct a test in response to a breach on a similar organisation. The methodology behind this is to identify if there are any common patterns between your business and the similar organisation, and to verify that your systems will remain secure if the same attack occurs on your business.
Overall, penetration testing is an excellent way of ensuring that your systems and staff are resilient to cyber threats. A good tester will use the latest tools that can be as closely correlated with a real-world attacker. Keeping updated with the latest toolsets, vulnerabilities and techniques gives the penetration tester a real advantage when attempting to simulate these scenarios and will significantly improve their ability to identify weaknesses on penetration test engagements.