What is penetration testing and how can it help your business?

In a few years, penetration testing (or “ethical hackers” in the past) has changed from something that only large organizations do regularly to the type of evaluation that is now recommended even for the smallest SMEs. For some people, this change is explained by improved compliance, but the biggest factor is the dramatic increase in destructive cyberattacks, which continue to plague them despite the record level of cybersecurity investment. organization.

This seems to be a paradox: Gartner predicts that by 2021, traditional information security system expenditures will reach 150 billion US dollars, an increase of 12.4% over last year. Spending has been growing like this for at least 15 years, but the problems it should prevent are getting worse. How could this be?

One possibility is that although network security technology fixes known problems, it does not solve the hidden problems that no one expected. These weaknesses only appear in real-world conditions, in which case cybercriminals are better at detecting than defenders. Infosec provides many examples of this phenomenon, including unpatched software vulnerabilities (the number has also increased dramatically), accidental misconfigurations, weak or aging security policies, poorly secured accounts, undocumented network access, and lax employee behavior.

There is a lot of evidence that misconfiguration, negligence, and naive security behavior are the root causes of many cyber attacks, rather than any super-complexity of the attacker. For example, ransomware attacks often rely on fairly basic security failures that could have been prevented, such as leaked (and possibly reused) passwords, which reportedly contributed to the recent destructive effects on American colonial pipelines attack.

How can penetration testing help?

Penetration testing attempts to discover these problems by simulating how real attackers search and use them, usually linking smaller vulnerabilities together to amplify the damage. Usually, each test is supplemented by automated vulnerability scanning to detect the most common software defects, misconfigurations, and oversights. At the end of the process, the customer will receive a report detailing the weaknesses, which contains an analysis and ranking of each risk to the organization, as well as a conclusion part of the proposed fix.

Types of penetration testing

Penetration testing is conducted at varying degrees of depth, depending on the purpose or purpose of the test. External testing looks for weaknesses outside the firewall from the public's perspective, while internal testing assumes that the attacker has established a foothold inside the network. The latter was once optional and is now considered essential because it simulates how more and more attacks unfold, whether it is due to malicious insiders or because an attacker has breached the security of a phishing or weak password Employee or privileged account. It also helps to analyze how easy it is for the attacker to move from the infected system to other resources.

Black box testing and red team

More advanced penetration testing includes black box testing, in which testers probe the network in the same way as an attacker without knowing the network defenses. For large organizations, another increasingly popular option is the red team, which involves extensive testing of all aspects of the organization, including physical security and employee behavior over a long period of weeks or months. And internal processes.

How does penetration testing happen

External testing begins with the collection of information related to agreed goals and rules of participation (RoE), followed by reconnaissance of the organization's public-facing systems. Then, they started using open source tools (Nmap, Nessus, Cobalt Strike, Metasploit) and their own combination of customer scripts and manual techniques to scan for common defects and weaknesses. If a weakness is found, it will try to exploit it without being discovered, and then try to move laterally to a new server elsewhere in the organization's network. Each step is recorded in the final penetration test report, which explains the fixes and mitigation measures in order of priority.

Can SMEs do penetration testing by themselves?

In theory, organizations can do this on their own, but hiring independent testers is considered best practice because it can avoid issues such as conflicts of interest and internal politics. If bad news needs to be delivered, a calm external audit is always the best method. Many tests also require professional skills and experience.

Is penetration testing risky or illegal?

The objectives and parameters of the test are always negotiated in detail with the customer in advance, including consent to certain actions that may violate British law. Testers are looking for weaknesses and will not use them in a destructive way or destroy data in the process. This is governed by participation rules, which document how testers protect any sensitive data they encounter during testing and the procedures for communicating with the internal IT team.

Are there restrictions on penetration testing?

One problem is that, ideally, an organization should conduct at least two penetration tests, the first is to discover weaknesses, and the second is to later evaluate whether they have been fixed. The network also changes over time, which means that even this assessment will quickly become obsolete. All this means at least once a year, possibly once every two years, which will increase the upfront cost.

Another problem is that the kind of penetration testing provided to SMEs is unlikely to find all weaknesses. Some of these depend on the scope of the test, which may be very basic, but also because other areas of weakness (such as employee resistance to phishing attacks) are not part of this type of assessment. How far should SMEs go in penetration testing? It can be said that to solve this problem, we must first conduct a thorough risk assessment and link the assessment cost with the attack cost.

Is penetration testing really necessary?

To answer this question, organizations need to assess the impact of attacks such as ransomware, which can disrupt their operations for days, weeks, or longer. Cyber insurance is unlikely to cover all these costs, and there is strong evidence that even if they pay, the attacked organization rarely recovers all the data. This may have a long-term impact on the loss of reputation and compliance. Penetration testing will not eliminate the risk of cyber attacks, but it will significantly reduce the risk.

in conclusion

Although penetration testing may be a very valuable tool for organizations, it does not guarantee that it can withstand all cyber risks. Therefore, a sensible strategy should be a combination of measures that combine to provide a compound effect that protects the organization within the budget and resource constraints that most leaders need to consider.

A good starting point is to ensure that employees understand the risks, how to discover them, and how to avoid them. Our cybersecurity e-learning course is a cost-effective way to ensure that your employees understand the key principles. At the same time, by using third-party certification to evaluate your organization's systems and processes-from Cyber?? Essentials and Cyber?? Essentials Plus to ISO 27001, you can provide additional convenience. If you want to discuss any of these options, please contact us today or request a quote here.

Back to all articles