Penetration testing is a core tool for analysing the security of IT systems, but it should be carried out as part of a wider, deeper audit of your systems.

The National Cyber Security Centre gives the definition as "A method for gaining assurance in the security of an IT system by attempting to breach some or all of that system's security, using the same tools and techniques as an adversary might."

Typically, penetration tests are used to identify the level of technical risk emanating from software and hardware vulnerabilities. Exactly what techniques are used, what targets are allowed, how much knowledge of the system is given to the testers beforehand and how much knowledge of the test is given to system administrators can vary within the same test regime.

A well-scoped penetration test can give confidence that the products and security controls tested have been configured in accordance with good practice and that there are no common or publicly known vulnerabilities in the tested components, at the time of the test.

What sort of system should be tested?

Penetration Testing is an appropriate method for identifying the risks present on a specific, operational system consisting of products and services from multiple vendors. It could also be usefully applied to systems and applications developed 'in-house'.

A pen-test is a snap shot of your IT systems on the day of the test, so you can't assume that once it's done, that's it. Regular testing would be more useful.

We have Trusted Partners that we can signpost you to, if you want to perform third party penetration tests. We recommend selecting your IT provider with care as the results of the penetration test are only as good as the skill with which the test is carried out. We have assessed our Trusted Partners on your behalf, so we can recomend them withour hesitation.

A typical penetration test will follow this pattern: Initial engagement, scoping, testing, reporting and follow up. There should be a severity rating for any issues found.

For this model we assume that:

• You wish to know what the impact of an attacker exploiting a vulnerability would be, and how likely it is to occur
• You have an internal vulnerability assessment and management process

You should ensure that the external team has the relevant qualifications and skills to perform testing on your IT estate. If you have any unusual systems (mainframes, uncommon networking protocols, bespoke hardware etc.) these should be highlighted in the bid process so that the external teams know what skill sets will be required.

To read more about penetration tests, there's an excellent article on the NCSC website here.