Following on from our recent post about Pen testing for businesses, we wanted to talk a bit about the idea behind DIY pen testing. \u00a0If you\u2019re not familiar with the term \u2013 pen testing is short for penetration testing and is the practice of strengthening network security by identifying the weaknesses, mainly by employing the same techniques a hacker would use. Pen testing is the only real way to understand where the gaps in your security systems are, and proves far more cost effective than trying to recover from a cyber attack. \u00a0But investing in pen testing by professionals isn\u2019t always cheap, and recently there have been a lot of people toying with the idea of doing their own pen testing. \u00a0So today, we\u2019re going to talk about the pro\u2019s and cons of DIY Pen testing, and give you a few bits of friendly advice.\u00a0 Please note that these tools and techniques are more aligned to vulnerability scanning, which is a part of the penetration testing process. Penetration testers and hackers will then take the results of these scans and look at ways of compiling vulnerabilities before using manual techniques to exploit these vulnerabilities.A prefaceFirst, we want to preface this by saying that we don\u2019t recommend DIY pen testing over professional services \u2013 because we wouldn\u2019t. The main reason for this is that you are unlikely to be a fully trained, qualified pen tester, and so will have little to no experience in hacking systems safely. But it\u2019s not such an awful risk that it\u2019s a complete \u2018no go\u2019 either. If you are comfortable with undertaking a DIY pen test and you are confident in the knowledge of your network and its more fragile areas, it\u2019s certainly better than not having one done at all. Now, with that done, let\u2019s move on to our tips:1. Think riskBefore you dive in and start poking and prodding at your security systems, take a step back and think about what you are trying to achieve. Look at what exactly you are trying to protect, where it\u2019s held and how hackers would most likely get to it. If you aren\u2019t sure, evaluate how badly your business would be damaged if each system or resource went down or was comprised individually \u2013 this gives you a pretty clear idea of where your priorities are. Once you have that, you can look at which of those systems represents the most risk, and work from there.2. Utilize toolsUnless you are a dedicated coder or ethical hacker in your spare time, we don\u2019t recommend trying to manually pen test your business. Manual testing requires a high level of time and experience to perform effectively. Luckily there are a lot of tools out there which real testers use today that can help businesses perform rudimentary security tests on their systems, without the need for much manual intervention. A few of our favorites include the Metasploit Framework, OpenVAS \u00a0SQLmap, Burpsuite and Sparta \u2013 all of which either come already installed, or can be easily installed on the Kali Linux Operating System.\u00a0 While these aren\u2019t exactly a "pen test in a box" these are just a few of the resources out there that can help automate the fundamental basics of Pen testing and save time and resources by identifying the most obvious and dangerous vulnerabilities. There are a lot of tools out there, so try a few demos on a test environment and opt for one that your team can use effectively. Always test the tools on a test environment first and understand how they work \u2013 we don\u2019t recommend firing any tools, no matter how basic, at your network without understanding how they operate and the potential consequences.3. Understand different types of attackThere is more than one way a hacker can access your system \u2013 in fact there are thousands. In order to do an effective pen test, you will need to understand the different ways attacks can happen, so that you can search for ways in using the same approach (that\u2019s the point after all, to see if it can be done). For example, are you more prone to man in the middle attacks, phishing attacks, brute-force attacks, DDoS attacks or weak service exploitation? Understanding all the different ways hackers work is crucial to effective pen testing.4. Clean up after yourselfGenerally, this only applies to those who are opting for the true DIY approach, rather than using automated tools. In these instances, manually uploading files, adding users and making configuration changes.\u00a0 If you simply abandon the system when you are done, you risk leaving a trail of evidence a mile long behind you. Not only could this significantly reduce incident response capability if there were a breach further down the line, but could also lead a trail of breadcrumbs for a real attacker to weak areas of your network So, remember what your mother always told you \u2013 clean up and put everything back where you found it when you\u2019re done.5. Report backDoing the pen test itself is sadly only part of the job. Once you have conducted a thorough test and have an idea of what\u2019s going on and the weaknesses in the system, you need to report back to management or IT about what you have found. The best way to measure success in pen testing is not through the actual finding of problems, but in the reporting and handling of those problems. If you don\u2019t compile a report and act to rectify the issues you found, you might as well have not bothered.If all of that seems a bit complicated to you \u2013 stop researching and pick up the phone to an expert. A lot of things can go wrong with DIY pen testing, and the result is often heavy costs of time and resources to fix the problem and land you back at square one. DIY pen tests that go wrong can slow down your network, crash your systems, lose valuable data and even leave your systems wide open for attack. So unless you\u2019re confident that you can handle the task and accept the risks, we don\u2019t recommend you handle it on your own.