The number one thing that everyone asks for when they come to us is a penetration test. They hand us external facing IP addresses and want us to see if we can do anything to access their internal network from the outside. Now, don't get me wrong, external facing penetration tests are a good thing to do annually. But when I hear people saying they are completely secure or want to do tons of these to make sure they stay secure, I tend to cringe.

The only thing checking an external IP tells you is if you have your internet facing doors open. We do this by using tools to scan and see if anything is open. If it is open, we see what we can access. It is critical to make sure your outside facing doors are locked down, so this is an important test to do. If your external IPs are open, someone can more easily get into your network. However, the majority of times we check these they are in good shape. Where pen tests are most effective is if you have an online app or web page. Any apps or pages that face the internet allow for more possible avenues of an attack.

The misconception I see a lot of smaller businesses have is that if that external facing pen test is good there is no cyber risk. Pen tests like that do not tell you about your overall cyber risks as a company. It just tells you that one avenue is locked down. The only way you really know your cyber status is to do a full risk assessment. Of course no one wants to hear that since it's not as simple as having someone scan their externally facing IPs.

A full risk assessment involves figuring out what an attacker might want and want regulations you have to meet. It goes through best cyber practices for that type of data and looks at if your meeting the intent of the control. It involves interviews and documentation reviews as well as testing different cyber things such as vulnerability scans and configuration checks. A pen test is not looking at all your processes. Its one point in time where someone is seeing if they can break in from the outside. Perhaps knowing it was coming, things were tightened up in preparation. When normal day to day operations resume perhaps gaps will open up again. Pen tests are important and have their place, but having a good cyber posture is more then having a firewall or locking down some ports. Good cyber posture requires regular risk assessments.