The Pros and Cons of Attacking Your Own Network with Penetration Testing

internet speed test

Penetration testing is a highly effective method of testing out the strength of your own system’s digital security defenses against attacks by hackers and other intruders. If you have important data to protect on servers or an internal network of some kind, the only way to really know how well they perform under attack is by simulating that exact situation under controlled circumstances instead of waiting for a real intrusion to occur and hoping that you’ve been prepared enough.

Despite their clear benefits as a digital security analysis and hardening tool, penetration tests have become rather controversial in certain ways and arguments exist both in favor and against their benefit vs. their risks. We’ll cover both sides of this shortly.

An Overview

Penetration tests can either be conducted with the assumption that attackers are complete outsiders with no authorized insider knowledge of your networks security systems or by simulating attacks in which the attackers have some authorized access to internal security procedures. Additionally,  penetration tests can be divided broadly into announced tests and unannounced tests; the former being a test conducted with full knowledge on the part of employees and security staff and the latter being a test done secretly in order to give a measure of preparedness in situations when no one is expecting an attack to occur.

Of the two latter methods of staged attack, unannounced tests are the more powerful option from an analysis point of view since they simulate the kinds of real world conditions in which attackers are not exactly likely to make their sudden intrusion attempts known.

By staging planned, announced tests, you or your organization would be at risk of creating a level of preparedness that doesn’t reflect daily reality and fools you into thinking your systems more secure than they really are.

Some benefits of Pen Testing

The majority of weakness that you’re likely to find when you go ahead and perform a penetration test will revolve around things like code design flaws, places with no server or network security where it should have been placed, software bugs, configuration errors and software that’s out of date –particularly server, site and even security software. Most of these things end up being weaknesses that fell into existence by accident and can quickly be resolved once caught by a comprehensive penetration test.

Additionally, pen tests are usually quite effective at exposing the basic human security errors of your own employees and staff, since these are the people who actually have to maintain protection protocols on a day to day basis and often can get sloppy in maintaining proper encryption, software updating and configuration settings within networks and server systems.

A few additional and powerful benefits to these types of security tests include:

Identifying the most likely attack vectors that you will face

Each network or system is designed somewhat differently from others, even others of the same kind. This applies especially to mature long running networks in which new machines, servers, website connections, databases and software get tacked on over time. Because of this, the most likely attack vectors can vary from case to case based on both design and system type. By conducting a rigorous pen test, you’ll quickly identify what the easiest route of attack into your company systems is and be able to reconfigure based on what you learn.

Hackers and other intruders almost always take the easiest possible route when trying to intrude and penetration tests will feel out your overall network/system to make sure that no easy routes are left open.

Identifying numerous smaller errors that could lead to high level risks

Like we had mentioned above, most problems that get detected through penetration tests are numerous minor things that by themselves don’t pose an enormous immediate risk to your protected systems. However, by leaving these little flaws open, you’re giving potential hackers a chance to take advantage of them in such a way that several seemingly small security weaknesses can be combined and exploited together to open a much larger crack that leads to a total breach of what you want to keep safe.

Detection of Existing Hacks

One other notable plus to having a robust security test of your network done is so that you can see if you have any existing hacks to weed out! This may seem a bit hard to believe, but in many cases, companies and other organizations already have an intruder inside their network slowly filtering information or causing clandestine harm in some way. In some cases, this can go on for years without detection until a rigorous security audit and penetration test discover it and get the hack shut down before it does more damage.

Dangers of Penetration Testing

Like we had said at the beginning, penetration testing does generate some controversy and not all parties are unanimous about its cost vs. benefit. There are a couple of things to consider before you make the leap and financial outlay of having a test performed.

Incomplete impression of security leading to unwarranted confidence

By performing a penetration test and coming through with a clean bill of robustness, you might find yourself tempted to think that your network or system is secure and that you can rest easy. This is dangerous for two main reasons. First, the test simply does not address all potential security issues and while it can give good indicators of how an external attacker might penetrate and damage your network, it won’t address internal security flaws like unreliable employees or sabotage from within.

Furthermore, unless truly comprehensive, a penetration test will discover possibly entry weaknesses but may miss numerous internal instances of malicious code that’s been well hidden deep within your systems. Thus, unless combined with a thorough internal systems audit, successful pen tests are not by themselves a complete reason for confidence.

Risk of System Damage

By their very nature (attempting to simulate attack by a malicious intruder) Penetration tests actually run the risk of doing damage to not only your security infrastructure but also your internal systems and databases themselves. This is a minor risk but it can’t be avoided completely since a comprehensive test does need to see how it can best exploit vulnerabilities in your network.  The risk of attending damage is something to weigh against potential security benefits.

Something else that should also be kept in mind and relates to this basic damage risk is the danger of having the people you hire to perform the test being negligent or irresponsible in how they handle it. While they will obviously have to simulate the tactic of malicious intruders in order to effectively gauge your security strength, they still can take certain precautionary efforts and not all testing services might adequately provide these. 

About the author: John Dayton has written for the tech industry for many years. When he’s not writing poignant articles about penetration testing and security, you can find him reviewing LWG Consulting’s structural failure division.

  • Andrea D

    Great information, John! And thanks for posting this, Tom. It’s true that penetration testing has both benefits and drawbacks. But it would also help, perhaps, if an outsider performed the penetration test. Maybe they would catch things that someone who knows their system wouldn’t? I know a company called Coalfire who does this all the time for companies to enhance their data security and find flaws that they otherwise wouldn’t. Maybe they would be a fit for others as well. Here’s more info on them: http://www.coalfire.com/Services/Penetration-Tests