An excellent way to test the effectiveness of the security controls you have implemented is to run Penetration Tests. Sometimes referred to interchangeably with Ethical Hacking, penetration testing simulates real-world cyberattacks against your network. If you have implemented good security controls, the job of the penetration testing should be difficult. Penetration tests can be performed by you if you have the skills. If you don't have the necessary skills, some firms offer third-party tests. There are a few different types of Penetration Tests:

  • White Box Tests: These tests are known environment tests where the tester has full knowledge of the target environment, including network architecture and device credentials.
  • Black Box Tests: These tests aim to capture the perspective of an attacker with no knowledge of the inner workings of the target network. Essentially, the tester needs to start from scratch and learn about the target network's design themselves.
  • Gray Box Tests: These tests seek to make better use of time by giving the tester some knowledge of the target network, but leaving most of the very specific details secret. For example, the network owner could give the tester a map of the network layout, but keep specific IP ranges and hostnames hidden.

Setting up a penetration test involves careful preparation. If you are hiring a third-party tester, you need to define Rules of Engagement (RoE) with the testing firm to set the allowed scope and boundaries for the test. Even though you are testing your own network, you need to be wary of potential legal issues. If a penetration tester becomes misguided and ventures off course, they could compromise assets that contain sensitive data, potentially damaging it. Some ISPs and cloud providers may also have restrictions against penetration testing. Make sure to thoroughly prepare before attempting any kind of test.

Once a penetration test has finished, it will produce a Penetration Test Report. This document was written by the testers themselves, containing information on what was done and what was discovered. The insights from this report will give you the necessary fuel to begin planning new security controls, essentially looping you back to Stage 1 of this framework for another iteration.