What is a pen test and why is it important for critical infrastructure?

Spoiler: we’re not talking about rubbing a ballpoint pen over the sole of your shoe to see if it’s still working. A pen test, or penetration test, is like a security health check for computer systems. Think of it as hiring friendly hackers to try to break into your digital “fortress”. They explore your defenses to find weak spots that real attackers might exploit. It’s a method commonly used by companies to test the security of their systems, and we recently did such a pen test for Barco CTRL.

Pen tests for software are like crash tests for cars. These tests involve trying different tricks and tactics to sneak past security measures, like passwords or firewalls. By doing this, organizations can see where their systems are vulnerable and fix those weaknesses before the real ‘bad guys’ find them. It's a bit like finding and fixing holes in a fence to keep out intruders. Pen tests help make sure that your digital castle stays safe from cyber threats by identifying and strengthening its defenses.

Penetration tests are not at all a new phenomenon. As history goes, the first one was formally ordered in 1965 by an important government contractor, following the remark that an employee had been able to easily break into a main time-shared system. The term “penetration” was first coined in 1967, by the way.

In the years that followed, rules and best practices for pen tests were developed, becoming increasingly sophisticated. Highly competent computer scientists, working for the US government were active in these penetration tests, trying to break into sensitive computers. According to a New York Times article from the early 1980s, they succeeded in every attempt.

Today, penetration tests are very common when dealing with critical infrastructure. This not only entails governmental organizations, but also corporations and public services. Hackers that want to stay on the right side of the law make successful careers in this business. 

Reading a pen test report can be a bit like deciphering a detective's findings. Start by understanding the executive summary, which provides a high-level overview of the test results and key findings. Then, dive into the detailed sections, focusing on the vulnerabilities discovered, their severity, and potential impact on your organization. Pay attention to any recommendations or remediation steps suggested by the testers. It's crucial to prioritize fixes based on severity and potential impact on your operations. Don't hesitate to ask questions if there's anything you don't understand, especially regarding technical jargon or complex vulnerabilities. Ultimately, use the pen test report as a roadmap to strengthen your security posture and protect your organization from cyber threats.

Would you like to learn more about pen tests? Then download our pen test guide to learn how to set it up yourself.