Kevin Johnson is the CEO of Secure Ideas, a Jacksonville security-consulting and penetration testing firm. Along with being a security expert with many years in the industry, he’s a great guy and a HUGE Star Wars fan, and a member of the Imperial Guard at The 501st Legion. We asked Kevin about Penetration Testing, an important exercise in the cybersecurity world and a term often recognized but not understood.
What is a penetration test?
A penetration test is basically a look at your environment, systems and applications from the perspective of a bad guy. When we run these assessments we are putting on our black hats and trying to figure out where your defenses and controls are weakest. The test also allows us to evaluate how well your organization responds to an attack and what risks are most important to fix.
What is a pentest not?
It is not a way to find EVERY problem or vulnerability within your network and applications. That requires a combination of vulnerability assessments and security reviews.
Why are pentests important to businesses?
If we don’t know what the issues within our systems are, how is it possible to fix them? We need to be able to judge our risk and act accordingly.
Do small businesses need to conduct pentests?
Absolutely. Especially if they accept credit cards or deal with sensitive information such as medical records.
At what size (revenue/employee/or other benchmark) do companies need to start thinking about conducting pentests? Or what business type?
There is no specific size or revenue. All companies doing business need to evaluate risk and perform some form of testing. This is required by many things including PCI-DSS, HIPAA and contracts with partners and customers.
If a business isn’t ready for a pentest, what should they be doing?
Often the first step is to implement regular and in-depth vulnerability assessments. This allows for an understanding of where the problem areas exist. I would also seriously consider a gap analysis or security review to kick off a project.
What’s your favorite part about working in the exciting world of cybersecurity?
Every day I learn something new. The entire IT world changes over night, the attackers find new ways in and our systems keep improving. It’s a challenge, but a great one.
What’s your favorite movie, other than anything related to the Star Wars franchise?
I think I would have to say Boondock Saints.