Worried about your network security? Put your security measures to the test.

What's keeping intruders out of your network?

You'll find it easier to test your security if you know exactly what your defences are.

Typically, network defences include:

• a firewall to keep intruders out of your network
• an intrusion prevention / detection system (IPS / IDS) to let you know when you're under attack from hackers
• anti-virus scanners to spot infections hidden in emails, instant messages or web traffic
• passwords so your computers, programs and data can only be accessed by authorised personnel

Do your security defences work?

There's only one way to find out – by putting them to the test. You can carry out the tests yourself or hire professional penetration testers to do the job for you.

Of course, you should check with your network provider before starting penetration testing. The point of this kind of test is that it looks just like a malicious attack, so a surprise test could (and probably should) raise the alarm. What’s more, your network provider may be carrying out regular penetration tests or be able to support you in running your own.

Using professional penetration testers

Professional penetration testers think like hackers and use the same techniques that hackers use to try to bypass your defences. When they've finished they'll give you a report of any weaknesses they find, and make recommendations to help you address them.

You'll want to choose a team of penetration testers you can trust before inviting them to hack your network. It’s also important that they have all the necessary skills.

Before you hire a team, ask these questions:

1. Who will carry out the penetration testing?
2. How experienced are they?
3. What professional qualifications and certifications do they have?
4. What methodology (such as the Open Source Security Testing Methodology) do they follow, if any?
5. How would they carry out a penetration test, and to what time scale?
6. What sorts of reports and recommendations will they give you after the test, and how much detail will they go in to?
7. If they find any vulnerabilities in your network, will they implement fixes or just identify problems?

Testing your own network

Can't afford to hire a penetration testing team? A lower cost alternative is to carry out your own tests using penetration testing software.

Although DIY-testing is not as effective as hiring an expert, it has other advantages:

• You can carry out tests as often as you want. Running a test whenever you buy new equipment, install new software, or make any big changes to your network will alert you to obvious vulnerabilities you've overlooked. Think of it as walking around your house, checking you haven't left any windows open before you go out.
• Hackers use this software too, which means you should find the same weaknesses.

Choosing the right penetration testing software

You can use penetration testing software in two ways: to carry out manual penetration tests, or to launch an automated test.

Manual tests require more time, skill and penetration testing knowledge, but they can discover vulnerabilities that automated tests can't. Automated tests often involve little more than pressing a single button to run the test.

Manual penetration testing software

Any good manual penetration testing software should at the very least allow you to carry out these 5 key functions:

1. Port scanning – to establish what computers are connected to a network –  and the operating system and services they are running – that may be vulnerable to attack
2. Reconnaissance – contacting these servers and extracting information from them such as the applications they are running, and the usernames of employees that access them
3. Exploit launching – attempting to exploit any known vulnerabilities to gain control of a system
4. Network sniffing – to intercept network traffic and extract information such as usernames and passwords as they travel over the network
5. Password attacks – to extract passwords from stored password hashes, or to guess passwords to get access to computers or services

Many of the most powerful manual penetration testing tools and software suites are open source and free. They are often used by professional penetration testers.

Most automated penetration software is also supplied as a commercial product. These products are usually easier to use than open source software, and include support.

Be aware of the risks

Penetration tests, whether manual or automated, involve unleashing scans and probes onto your network. This can affect network performance. To minimise interference with your business, you may decide to carry out the tests during less busy times, even though it makes them less realistic.

Tell us what you think