Historically, mainly due to legal or regulatory requirements, the public sector, utilities, pharmaceutical companies and financial institutions — all involved in processing sensitive data — have been the predominant users of penetration testing. However, an increasing array of organizations now conduct penetration testing, not just for compliance reasons, but because of the online nature of nearly all businesses today and the increasing threat from real cyberattacks.
A penetration test, or pen test, uses a variety of manual and automated techniques to simulate an attack on an organization’s information security architecture — either from malicious outsiders or from insider threats. It generally falls into two categories: applications (including mobile) and devices, and infrastructure, including servers, firewalls and hardware.
Built around a manual testing process, pen testing is intended to go much further than the generic responses, false-positive findings and lack of depth provided by automated application assessment tools (such as those used in a vulnerability assessment). Through simulations and linking together potential vulnerabilities in new ways, pen testing gives organizations a valuable deeper dive into where their vulnerabilities lie and uncover ones that may not have been previously evident.
For organizations who have not executed pen testing, it’s advisable to consider the practice in three steps:
1.) Getting Ready: Considering the drivers for testing; the purpose of testing, and target environment and appointing suitable suppliers to perform tests.
2.) Testing in Action: Conducting penetration tests enterprise-wide, approving testing style and type; allowing for testing constraints; managing the testing process; planning for and carrying out tests effectively; as well as identifying, investigating, and remediating vulnerabilities
3.) Follow Up: Carry out appropriate follow-up activities, remediating weaknesses, maintaining an improvement plan, and delivering an agreed action plan.
Here are some of the key considerations for each step:
Getting Ready. Deciding what an organization wants to test can lead to time-consuming debate and stall getting pen testing underway. Many organizations help simplify the decision-making process by using the services of a trusted, specialist organization to help them define the scope of the test, identify requirements, and develop a management framework. Often, these highly experienced specialists continue to conduct the testing based on the pre-approved scope.
A third-party specialist can provide more experienced, dedicated technical staff who understand how to carry out penetration tests effectively. The specialist can also perform an independent assessment of security arrangements before carrying out a full range of testing (e.g. black, white or grey box; internal or external; infrastructure or web application; source code review; and social engineering).
In evaluating third-party providers, look for a trusted, certified external company that employ professional, ethical and highly technically competent individuals. CREST, for example, is a penetration testing certification organization whose members fully meet these requirements, having been awarded the “gold standard” in penetration testing. They build trusted relationships with their clients by adhering to these high standards.
Working with a third-party provider, a senior management team should be appointed with responsibility for establishing and overseeing the penetration testing program, ensuring that it meets business requirements, and the scope of testing is agreed upon.
Organizations sometimes want to adopt an ad hoc or piecemeal approach, often depending on the needs of a particular region, business unit — or the IT department. While this approach can meet some specific requirements, it is unlikely to provide real assurance about the security condition of a system across the enterprise. Consequently, it is more effective to adopt a systematic, structured approach to penetration testing as part of an overall testing program, ensuring that business requirements are met, major system vulnerabilities are identified and addressed quickly and effectively, and risks are kept within acceptable business parameters.
Testing in Action. Basic actions before beginning pen testing are determining the depth and breadth of testing; what type of pen testing is required, the critical assets and infrastructure elements to be analyzed, and setting the organization’s tolerance for disruptive risks caused by testing. These risks include potential system failure and exposure of sensitive data.
Another important aspect is keeping current on business processes, applications, end user environments and other IT systems, so that pen testing is conducted early enough in a project’s lifecycle to be effective and identify new vulnerabilities.
Pen testing itself is evolving. An emerging practice is combining Red Teaming and Blue Teaming during testing. Red Teams go beyond the network infrastructure or applications to identify potential weak points and string together seemingly unrelated vulnerabilities to create composite attack scenarios. By doing so they challenge the organization’s assumptions around security. Blue Teams can focus on defending against Red Team attack simulations. Combining the two offers new insights into vulnerabilities that may not have been on the radar before. Blue Teams can also conduct defense analysis of patch management and perform other security evaluations to allow pen testing to find more in-depth issues.
One cautionary note: Pen testing is not a panacea for an overall weaker security infrastructure. It covers just the target application, infrastructure or environment that has been selected. Before engaging in pen testing conduct a reality check of your cyber hygiene: are your malware protection, firewalling, system/ network patching and vulnerability assessments all up to speed?
Follow-up Principles and Practices. Once each penetration test is complete — and any identified vulnerabilities have been addressed — it can be tempting to draw a line under the process and return to business as usual. However, to reduce risks both in the longer term and across the whole organization, it is useful to carry out a range of follow-up activities. The immediate need is to conduct any remediation of weakness uncovered, identify the root causes of these vulnerabilities, then take action. Since the organization is continually changing its IT infrastructure and application usage, pen testing results can help define the next appropriate round of testing.
Lastly, a common mistake organizations make is assuming, that by fixing vulnerabilities uncovered during a penetration test, their systems will then be ‘secure.’ As one executive said, “Organizations should not describe themselves as secure — there are only varying degrees of insecurity.”
It’s smart to think of IT security infrastructure as a constantly moving target for cyberattacks and continue to use pen testing as part of the cyber defense tactics to improve security.