What is Penetration Testing?
Cybersecurity should be front of mind for every organisation, especially in the wake of the current global pandemic. Our ways of working have changed immensely, with a surge in the volume of remote workers using different networks, devices, and platforms. Meanwhile, our businesses are using cloud computing and IoT technologies to facilitate new ways of working, reduce costs, and improve performance. The result is that the attack surface has increased, and with that comes an increase in the volume of cyber threats.
Cybercrime has been constantly rising over recent years with attacks becoming more frequent, varied, and sophisticated. The numbers speak for themselves. The Ponemon Institute’s 2019 data breach report showed the average cost of a breach to be a huge $3.92 million with costs lasting for years after the attack. Penetration testing mimics these cyberattacks, testing the security of an organisation and its ability to fight back. In this blog, Security Practice Director, Saaim Khan explains what penetration testing is, the different types of testing, and the benefits to an organisation.
What is Penetration Testing?
Penetration testing, otherwise known as pen testing, is a simulated cyber-attack. While every organisation will have security defences in place, they are often not tested until it’s too late – when a cybercriminal undertakes an attack. Penetration tests aim to:
● Discover weaknesses in infrastructure, applications, and people.
● Discover whether implemented controls are effective.
● Discover new bugs in existing software.
Ultimately, penetration testing is a security exercise that aims to identify weak spots that cyber threat actors could take advantage of. Once identified, it gives businesses the chance to remedy or patch these weaknesses and implement new security policies to ensure they are operating with an acceptable level of risk and in line with regulations and industry standards.
How is Penetration Testing Achieved/Performed?
Pen tests are generally carried out by outside contractors who have little knowledge of the system or organisation in question as they are more able to expose blind spots. Penetration testers, otherwise known as ethical hackers, can be experienced developers/security consultants or reformed criminal hackers. Regardless of who is carrying out the test, however, the process will include planning, reconnaissance, gaining access, and analysis.
After completing a penetration test, the ethical hacker will share their findings with the target company’s security professionals. The information can be used to improve security, patch vulnerabilities, and enforce tighter policies.
The Different Types of Penetration Testing
While all penetration testing follows stages of reconnaissance, attack, and analysis, there are different methods that can be used. This is, ultimately, the planning phase of a pen test, where the scope and testing methods are decided upon. The key types of penetration testing include:
- External testing – targeting a company’s external-facing assets such as the company website, email, and domain names servers. The aim is to assess the effectiveness of a company’s firewalls and other intrusion-prevention systems.
- Internal testing – targeting an application behind a company’s firewall, imitating an insider attack within the company’s internal network. The aim is to determine how much damage a disgruntled employee or malicious actor with stolen employee credentials could cause.
- White box testing – targeting a company with some information ahead of time regarding the target company’s security information. The aim is to simulate a malicious insider who has knowledge of the target system.
- Black box testing – targeting a business blindly with only the business name as a starting point. The aim is to imitate a real-time assault.
- Covert testing – targeting a business double-blind with no background information and the majority of the company, including the security professionals, having no prior knowledge of the attack. The aim is to simulate a real-world situation where the company isn’t expecting the breach to take place.
- Targeted testing – targeting a business with the security personnel’s knowledge, working together, and explaining each other’s movements. The aim is to create a valuable training exercise with real-time feedback from a hacker’s viewpoint.
The Benefits of Penetration Testing
According to PWC’s Global State of Information Security Survey, only 38% of organisations are prepared for a sophisticated cyber-attack. When this is coupled with the astoundingly high average cost of today’s data breaches, companies need to prepare themselves. By employing the services of pen testers, organisations can gain a fresh opinion, implement a combination of methodologies to simulate attacks, gain remediation advice, and fully evaluate their risk exposure to make informed business decisions.
Penetration testing is one of the most effective ways for companies to truly discover the vulnerabilities in their organisation and its security systems. However, pen testing isn’t a one-off activity, the cyber landscape is constantly evolving, and threats are becoming ever more sophisticated. Penetration testing should be used regularly to ensure cyber controls are working.
To understand a bit more about InfoTrust’s Security Assurance services click here.
see our
Related resources
Mimecast recently released its State of Email Security Report for 2021. The fifth edition of its annual report used interviews with over twelve hundred of information technology and cybersecurity professionals across the globe to gather vital cybersecurity insights. The report offers an insight into the latest email threats along with advice on how to build cyber resilience and mitigate the risks of email-borne attacks.
Cyber attacks and data breaches have been commonplace in the news headlines for some time now. Although a warning from the media is certainly helpful, there is so much more that can be done when it comes to threat intelligence sharing. Threat intelligence sharing is an important part of the global cybersecurity community effort to tackle cybercrime and should form a part of every organisation’s cybersecurity strategy. Sharing cyber threat intelligence enables organisations to make informed decisions about their cybersecurity, building more effective and robust cyber defences.
One of my favourite annual reports to read is the Verizon Data Breach Investigations Report. It’s packed full of insights about the threat landscape and security leaders, in my opinion, should read this report to get a pulse on what’s happening in cyber-scape.
After all, as cyber leaders, we are here to stop breaches – so the insights gained from real cyber incidents and breaches is gold in learning how to tighten up our defences.
All businesses, large and small, are under increasing pressure to demonstrate that they are managing the risk of cyberattacks. This means having the right processes and controls in place to identify risks and vulnerabilities, protect information, as well as detect, respond, and recover in the event of cybersecurity incidents. As such, many businesses are turning to certification authorities and security frameworks to demonstrate privacy and security best practice and achieve compliance with regulatory bodies. System and Organisation Controls (SOC 2) is one such compliance framework that can help organisations to create a structured approach to cybersecurity.
Frost & Sullivan has recently released its 2021 Frost Radar: Email Security report, where its findings provide a benchmarking framework to help businesses protect their email from cyber threats.
As we operate in an increasingly digital world, every business collect, store, and share more and more data. And, amongst that data is personal information. With the OAIC marking this year’s Privacy Awareness Week (PAW) from Monday 3 May to Sunday 9 May 2021, it’s time for us all to review how we protect our customers’ personal information.
We're Here To Help