The Vital Importance Of Pen Testing

The Vital Importance Of Pen Testing


Directors Report:  This Premium article is exclusive to Premium Subscribers. For unrestricted website access please Subscribe: £5 monthly / £50 annual.


The sophistication and number of cyber attacks are significantly increasing and organisations need to manage these growing risks in more advanced ways if they’re to remain IT effective and cyber safer. To do this effectively requires regularly testing all IT systems to determine how they respond to new types of attack and what needs to change to maintain cyber security. 

That’s where Pen, or Penetration, Testing comes into the organisation. Penetration Testing is vital to protecting yourself against attack and assuring your customers, employees regulatory organisations. 

Colloquially known as a Pen Test or ethical hacking, is officially called Penetration Test and is an authorised simulated cyber-attacks on a computer system, performed to evaluate the security of the system, with the aim to find and exploit vulnerabilities in a computer system. 

By engaging an objective-oriented penetration test, an organisation can gain valuable insight into their susceptibility to various types of attacks. 

A typical penetration test follows a pre-defined and approved methodology during the execution of the assessment, with the end result being a report which highlights all of the security issues and vulnerabilities identified on pre-defined assets. Using a simulated attack the aim is to identify any weak spots in a IT cyber system’s defences which attackers could take advantage of and then to review the security vulnerabilities that need to be securely improved so that hacking attacks can be severely reduced and monitored. 

When penetration testing is performed properly, the results allow network professionals to make recommendations for fixing problems within the network that were discovered during the pen test.  

  • The main purpose of the pen test is to improve network security and provide protection for the entire network and connected devices against future attacks.
  • Penetration testing helps to identify vulnerabilities within a network.  This means there is a distinct difference between penetration testing and performing a vulnerability assessment.  

The terms penetration testing and vulnerability assessment are often confused and used interchangeably when in reality, the two terms have separate meanings.

A penetration test should be thought of as similar to a financial audit. Your finance team tracks expenditure and income day to day. An audit by an external group ensures that your internal team's processes are sufficient. Penetration testers use the same tools, techniques, and processes as attackers to find and demonstrate the business impacts of weaknesses in a system. Penetration tests usually simulate a variety of attacks that could threaten a business. They can examine whether a system is robust enough to withstand attacks from authenticated and unauthenticated positions, as well as a range of system roles. With the right scope, a pen test can dive into any aspect of a system.

This is also like a bank hiring a burglar and try to break into their building and gain access to the vault. If the ‘burglar’ succeeds and gets into the bank or the vault, the bank will gain valuable information on how they need to tighten their security measures. 

Typically, penetration tests are used to identify the level of technical risk emanating from software and hardware vulnerabilities. Exactly what techniques are used, what targets are allowed, how much knowledge of the system is given to the testers beforehand and how much knowledge of the test is given to system administrators can vary within the same test regime.

In the first six months of 2017, two billion data records were stolen or impacted by cyber-attacks, and ransomware payments reached US$2 billion, double that in 2016. In 2020, with the increase of remote work as an effect of the COVID-19 global pandemic, cyber security statistics reveal a huge increase in hacked and breached data. 
The worldwide information security market is forecast to reach $170.4 billion this year. 

Professional Hackers & Cyber Terrorists

Professional hackers, either working on their own or employed by government agencies or the military, can find computer systems with vulnerabilities lacking the appropriate security software. Once those vulnerabilities are found, they can infect systems with malicious code and then remotely control the system or computer by sending commands to view content or to disrupt other computers. 

There needs to be a pre-existing system flaw within the computer such as no antivirus protection or faulty system configuration for the viral code to work.

Many professional hackers will promote themselves to cyber terrorists, for financial gain or other reasons. Penetration tests can work in different ways and there is no one comprehensive testing method that everyone uses and this is because cyber attacks are constantly changing and evolving and a Pen Test needs to take into account the types of attack that happen to the industry and work that the organisation being pen tested is part of.

It’s best to have a pen test performed by someone with little-to-no prior knowledge of how the particular organisation’s IT systems are secured because they may be able to expose blind spots missed by the developers who built the system. For this reason, outside contractors are usually brought in to perform the tests. These contractors are often referred to as ‘ethical hackers’ since they are being hired to hack into a system with permission and for the purpose of increasing security.

Many ethical hackers are experienced developers with advanced degrees and a certification for pen testing. On the other hand, some of the best ethical hackers are self-taught. 

In fact, some are reformed criminal hackers who now use their expertise to help fix security flaws rather than exploit them. The best candidate to carry out a pen test can vary greatly depending on the target company and what type of pen test they want to initiate.  

Typically, pen testing begins with information gathering, finding out as much as possible about the system you will be targeting. From there, testers move on to the attack itself. For example, bypassing a firewall to breach a system. 

Once vulnerabilities have been successfully exploited within a system, testers may use compromised systems to find other weaknesses that allow them to obtain higher and deeper levels of access to assets and data. Information about security weaknesses that are successfully identified or exploited through penetration testing is typically generated into a report to be used to take the next steps towards remediation efforts.

Some of the “broad strokes” of a penetration test include:  

1.    Assigning a person or team to act as “white hat” hacker(s) to conduct the test at a randomised date and time. 

2.    Vulnerability management team members scanning the IP addresses of different assets on the network to identify assets using services or operating systems with known vulnerabilities.

3.    The penetration testing team conducting a series of simulated attacks against the network using different attack methods. These attacks may target known vulnerabilities from the preliminary scan.

4.    The organisation attempting to investigate, contain, investigate and stop attacks as if it were a real one, depending on how the attack is conducted, the cyber security team may not know it is a pen test instead of a real attack.

It is important for the pen test team to be careful when conducting the test. If the test is carried out poorly, it could cause actual damage to the target systems, resulting in congestion or outright system crashes for some network assets. 

The Difference Between Pen Testing & Vulnerability Assessment

Pen tests are not the same as Vulnerability Assessments, which provide a prioritised list of security weaknesses and how to amend them, but they are often performed together. Pen testing is often conducted with a particular goal in mind. These goals typically fall under one of the following three objectives:  

1.    Identify hackable systems. 

2.    Attempt to hack a specific system.

3.    Carry out a data breach

Each objective focuses on specific outcomes that IT leaders are trying to avoid. For example, if the goal of a pen test is to review how easy it is for hackers to breach and use the organisation’s database, the ethical hackers would be instructed to try and carry out a data breach. 

The results of a Pen Test will not only communicate the strength of an organisation's current cyber security protocols, but they will also present the available hacking methods that can be used to penetrate the organisation's systems.

Here Are Some Different Types Of Pen Tests

Open-box pen test - In an open-box test, the hacker will be provided with some information ahead of time regarding the target company’s security info.

Closed-box pen test - Also known as a ‘single-blind’ test, this is one where the hacker is given no background information besides the name of the target company. 

Covert pen test - Also known as a ‘double-blind’ pen test, this is a situation where almost no one in the company is aware that the pen test is happening, including the IT and security professionals who will be responding to the attack. For covert tests, it is especially important for the hacker to have the scope and other details of the test in writing beforehand to avoid any problems with law enforcement. 

External pen test - In an external test, the ethical hacker goes up against the company’s external-facing technology, such as their website and external network servers. In some cases, the hacker may not even be allowed to enter the company’s building. This can mean conducting the attack from a remote location or carrying out the test from a truck or van parked nearby.

Internal pen test - In an internal test, the ethical hacker performs the test from the company’s internal network. This kind of test is useful in determining how much damage a disgruntled employee can cause from behind the company’s firewall.

It's not uncommon for a year or more to elapse between penetration tests, which is similar to the timing of accounting Audits. So, vulnerabilities could exist for long periods of time without you knowing about them if this is your only means of validating security.

Third party penetration tests should be performed by qualified and experienced staff only. By their nature, penetration tests cannot be entirely procedural, an exhaustive set of test cases cannot be drawn up. Therefore, the quality of a penetration test is closely linked to the abilities of the penetration testers involved.

Technological innovation is one of, if not the greatest, challenge facing cyber security. As tech continues to evolve, so do the methods cybercriminals use. In order for companies to successfully protect themselves and their assets from these attacks, they need to be able to update their security measures at the same rate. The caveat, however, is that it is often difficult to know which methods are being used and how they might be used in an attack. But, by using skilled ethical hackers, organisations can quickly and effectively identify, update and replace the parts of their system that are particularly susceptible to modern hacking techniques.

Pen Tests that are not done properly can crash servers, expose sensitive data, corrupt crucial production data, or cause a host of other adverse effects associated with mimicking a criminal hack.

When a pen test is performed properly and in a benign manner to simulate a network exploit, your business will stay on top of whether or not there are potential security risks within your network. The pen test is very similar to a disaster recovery or fire drill to ensure your business is prepared in the event of a catastrophe. 

Penetration testing should be performed on a regular but different timings basis to ensure more consistent IT and network security management is checked and monitored. 

A pen-tester will reveal how newly discovered threats or emerging vulnerabilities may potentially be assailed by attackers. In addition to regularly scheduled analysis and assessments required by regulatory mandates, tests should also be run whenever there is a suspicion that network integrity is not secure

References:

Cloudflare:      PA Consulting:       BSIGroup:    CompuQuip:  

NCSC:            Core Security:        Synopsis:   

Techtarget:      OurITDept:             ITGovernnance:

You Might Also Read: 

Penetration Testing & Ethical Hackers: (£)

 

« Hackers Plan Attacks On Key US Industrial Control Systems
Identity & Authentication For Mobile Users »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

ProfitBricks

ProfitBricks

ProfitBricks is a secure cloud computing infrastructure-as-a-service (IaaS) solution.

Radiant Logic

Radiant Logic

Radiant Logic is a market-leading provider of federated identity solutions based on virtualization, and delivers simple, logical, and standards-based access to all identities within an organization.

Lanner Electronics

Lanner Electronics

Lanner Electronics is a leading hardware provider for advanced network appliances and industrial automation solutions including cyber security.

Sphera Solutions

Sphera Solutions

Sphera is a global provider of software and information services in the operational risk, environmental performance and product stewardship markets.

Digital Ship

Digital Ship

Digital Ship provides news, information, conferences and events focused on digital ship systems, information technology and security relating to maritime operations.

Aspen Insurance

Aspen Insurance

Aspen is a leading diversified specialty insurance and reinsurance company. Products offered include cyber insurance.

NextVision

NextVision

NextVision is a Cybersecurity and Technology company offering a range of solutions and services for Security, Compliance and IT Infrastructure Management.

CYQUEO

CYQUEO

CYQUEO is your professional partner and system integrator. We secure your organization against advanced cyber threats.

redGuardian

redGuardian

redGuardian is a DDoS mitigation solution available both as a BGP-based service and as an on-premise platform.

RackTop Systems

RackTop Systems

RackTop Systems is the pioneer of CyberConverged data security, a new market that fuses data storage with advanced security and compliance into a single platform.

Nucleus Security

Nucleus Security

Nucleus is a leading Vulnerability Management platform for Large Enterprises, MSPs/MSSPs, and Application Security Teams that want more from their vulnerability management tools.

Mindmajix Technologies

Mindmajix Technologies

Mindmajix is a live and interactive e-learning platform that offers professional online IT training in areas including cyber security.

PNGCERT

PNGCERT

PNGCERT is the national Computer Emergency Response Team (CERT) for Papua New Guinea.

SECUINFRA

SECUINFRA

Since 2010, SECUINFRA have specialized in detecting, analyzing and defending against cyber attacks.

ThreatBlockr

ThreatBlockr

ThreatBlockr (previously Bandura Cyber) is the only active defense cybersecurity platform that fully automates the enforcement, deployment and analysis of cyber intelligence at a massive scale.

Balance Theory

Balance Theory

Balance Theory provides the knowledge infrastructure and collaboration center for the cybersecurity community. A networked community to build better cybersecurity outcomes.