The market for penetration testing is expected to reach $3.1 billion by 2027, rising at a market growth of 12% CAGR during this time. Fueled by the rising number of mega-breaches and more sophisticated attacks, IT teams are taking a more proactive approach, using penetration testing to validate and improve their security configurations. As more organizations do business on SaaS and cloud programs, penetration testing is becoming an important complement to cloud data loss prevention tools.
What is penetration testing?
Penetration testing (pen testing) is defined by the NIST as “A test methodology in which assessors, typically working under specific constraints, attempt to circumvent or defeat the security features of an information system.”
Essentially, pen testing takes place when an IT team hires a cybersecurity expert to attempt to penetrate the company’s security defenses. If the expert is successful, the IT team can make the necessary adjustments to their configuration to ensure a hacker can’t take advantage of the same vulnerability.
Ideally, penetration testing is carried out by an independent third-party with no existing familiarity with the organization’s security protocols. This agreement allows the contractor to expose blind spots that the IT team may have missed. Also known as “ethical hackers”, these third-party partners use their advanced expertise to help fix security flaws, rather than exploit them.
Types of penetration testing
There are a few different penetration testing methods your organization could use to find vulnerabilities.
Open-box or closed-box pen test
In an open-box pen test, the ethical hacker is given some information ahead of time regarding the information the company hopes to keep secure. Essentially, the IT team is hoping to test a specific area of its security protocols. Conversely, in a closed-box pen test, the hacker is given almost no information beyond the name of the target company.
Covert (double-blind) pen test
Beyond key IT professionals, no one in the organization knows that the penetration testing will take place. The ethical hacker is given a specific scope and details of the test in writing beforehand and then launches an attack without the employees’ awareness. This allows IT teams to test things like training, IAM, and other security protocols.
External and internal penetration testing
In external penetration testing, the ethical hacker focuses on the company’s external-facing technology: their website and network services, for instance. This could even mean launching an attack from outside the building to see if it’s possible to access valuable information from anywhere. Internal testing, conversely, focuses on the company’s internal network and is great for rooting out potential insider threat.
In each of these types of attacks, penetration testing typically involves some kind of brute force attack (e.g., cracking passwords or encryption keys) followed by social engineering. Depending on the scope of the attack, an ethical hacker may also try to cover up their tracks upon completion to avoid detection and simultaneously test the company’s monitoring systems.
Penetration testing and cloud DLP
Penetration testing helps augment cloud data loss prevention. For big enterprises, penetration testing is necessary to help protect networks that include thousands of hosts, internal applications, remote working tools, data centers, and more.
Ed Bellis, vice president, and chief information security officer for Orbitz told one news outlet that penetration testing can help reduce the risk of social engineering. "Pen testing will help you catch people who try to use social networking to work their way into a call center," he said. "People working in the call center can be overly helpful when they're trying to help customers, and they can and do get burned in the process."
Pen testing can help mitigate risks that originate outside your cloud environments. Then, cloud DLP tools like Nightfall scan data for signs of an insider threat or social engineering, alerting team members when they share sensitive data in potentially unsafe ways across cloud applications, like Slack, GitHub, and Google Drive. IT administrators can set custom actions to prevent employees from inadvertently (or mistakenly) sharing data and delete messages with sensitive data like usernames and passwords, credit card numbers, or protected health information (PHI).
Penetration testing is also useful for finding legacy apps that may no longer be in use but still present a security liability. These apps that have been around forever are now replete with vulnerabilities; pen testing can uncover these apps for retirement, or IT teams can add cloud DLP coverage to ensure no malicious actors can exploit these apps.
Pen testing can’t resolve every vulnerability, but it can provide insight into where your cloud DLP programs need to be deployed. Likewise, pen testing can help IT teams gain insight into where potential cloud threats originate, shoring up defenses in vulnerable platforms.
Check out our resources for developers to learn more about implementing cloud DLP for your business. And, to learn more about Nightfall, set up a demo using the calendar below.