Penetration Testing – the what, when, why and who
Penetration testing – the security-savvy data owner’s way of challenging their own defence systems. And why not? You’ve spent considerable time and budget selecting the best security measures for your company.
Data breaches are a very real and frequent occurrence and any attempt to keep your company’s name out of the spotlight for negative reasons is well worth it. The only way to assess if your security infrastructure will stand up to the most cunning of cybercriminals is to subject them to some rigorous testing. Penetration testing (or ethical hacking) is a common practise and a growing trend within cybersecurity. With so many vendors out there offering seemingly the exact same service, how do you choose the test that’s going to expose even the tiniest of holes in your framework before the cybercriminals do?
What exactly is pen testing?
A penetration test, commonly abbreviated Pen test, is an act to simulate a cyber-criminal or hacker behaviour to identify vulnerable or exploitable systems or conditions.
"A method for gaining assurance in the security of an IT system by attempting to breach some or all of that system's security, using the same tools and techniques as an adversary might.”
The SANS Centre for Internet Security have a 20 item Checklist for Organisations. Think of it as a checklist to “Do these 20 things really well”. Pen testing features on this list at number 20.
1) What type of pen test do you need?
Where so many different types of test exist, which areas need the most attention? Web, Web App, Email or Network, for example? If it’s all four (or more), look to a vendor who has the knowledge and expertise to perform a test across your entire data estate. They should also be able to provide relevant certificates demonstrating their pen testers have the appropriate qualifications such as Certified Ethical Hacker (CEH), Licensed Penetration Tester (LPT), GIAC Exploit Researcher & Advanced Penetration Tester (GXPN), or Offensive Security Certified Professional (OSCP). By confirming that your pen tester will use industry-recognised methods to ethically hack your data, you can be sure that they will leave no stone unturned. A list and brief explanation of the types of Pen testing options available.
2) When to test?
An uncompromising approach where cost has nil consideration would have you testing all systems all the time. Realistically and cost considerate, you will need to decide what testing frequency is right for your business. It would be wise to rate your systems in terms of a threat ranking. Such as if they are public facing (ie: web site, web apps and web backend systems) and in this example to have a higher testing frequency accordingly. Being public facing, they make easy targets for the opportunistic cybercriminal, rather than those that may specifically target your organisation. If you have conducted a Risk Assessment, then undoubtedly you have considered the threat types and motives specific to your organisation, and accordingly this would feed into your testing consideration of what to test and when. If you do not have a Risk Assessment plan to help you decide, then below are a few pragmatic suggestions:
Based on the above test results, if you are finding increasing vulnerable priority issues, you need to increase frequency accordingly as it suggests your management of security requires reviewing. See the section: “Pen test or better management of cyber defence”
Suggestion: if you contract-out pen testing, then look to swap testers regularly to prevent complacency. Perhaps alternate between two testers every other year for example.
3) Request liability insurance
Ultimately, you are putting your trust into an organisation who are (albeit ethically) seeking ways to expose your data. You are paying them to do so, so that you can then remediate any flaws within your systems. It’s important that, whoever you choose to perform these tests, have the relevant insurance in place to protect them (and you) against any damage caused or an (unlikely) accidental exposure occurring during the process.
4) Agree on an in-depth sample report and de-brief
Agreeing on how the results of the testing exercise will be presented to you, and what post-guidance you will be given before the testing starts will ensure your expectations are achieved. Therefore, negotiate with the vendor to provide as much information as possible as this will be key to ensuring that necessary measures are taken to reduce risk and you obtain a tangible benefit. We suggest a report that contains a summary prioritised list of high-risk issues, alongside a full detailed list of all the issues discovered and a section that provides recommendations to mitigate or obviate the issue. It is also good practice to request a post-testing debrief where the testers can walk you through the results.
5) Test, remediate, re-test
Explore options with your vendor to operate a test, remediate and re-test method. By re-testing your security defences once the initial test and remediation have taken place, you can be confident that any new solutions you have installed as a result of the test are doing their job. Only when you have re-tested your infrastructure can you be sure that you have made the most of this valuable investment. It also presents a second chance to fix any issues that might be outstanding from the re-test – further strengthening your cybersecurity and minimising the risk of a data breach. It’s not uncommon for a Business to adopt a hybrid approach to testing, where they have an annual pen test, and use a VA (Vulnerability) Assessment) tool to undertake continual scans in between, see vulnerability scan section below. This approach is a compromise on an idealistic type security strategy; however, it is cost effective.
6) A vulnerability scan is not a pen test (comparing apples with pears)
It is easy to purchase a pen test, that on the face of it seems cheap only to find yourself disappointed or worse. Some businesses offer a pen test that is nothing more than a vulnerability or a port scan. Although the final report may look colourful and professional, it is not the same as a pen test. Worse still, you could end up with a false sense of security as a pen test will use multiple attack techniques to identify and test for exploitable condition. Whereas a vulnerability scan is a little more than a list of services or systems that may have a missing patch or have a published associated hack attempt. Simple analogy: compare using an experienced locksmith to test your front door for the strength of the lock, hinge, door and whether the letterbox allows access to the internal latch, or to pick your lock; to asking your neighbour to check that your front door is closed. They both have their usefulness, but a pen test should not be confused with a vulnerability scan.
7) Pen test or better management of cyber defence
We have had many clients come to us who are not sure where to start regarding cyber security improvement. Some rush for a pen test with the logic of finding the hacks before the criminals do (putting the fires out). However, maybe a better way is to identify where you could improve your management of cyber defence (prevent the fires or reduce the impact). It is also a lot more cost effective to have a system to prevent and mitigate cyber risk rather than rely on technical spot-checks like a pen test. The obvious IT security management system is a British and International standard by the name of BS-EN-ISO-27001. Alternatively, consider the UK’s Government Cyber Essential scheme, or a Cyber Defence Gap Analysis workshop.
There are a sea of vendors and options in the industry offering penetration testing, and choosing the right fit for your business and its security needs can be an overwhelming prospect. If you would like some independent advice, speak to our Sales Team who will help you choose the right test to ensure the safeguarding of your data. Preparation is paramount in the fight against cybercrime; test your own defence mechanism to assess its stability before hackers exploit your business data.