The rise of penetration testing
With the shift to remote working and businesses more vulnerable than ever, cyber attackers have taken this opportunity to take advantage of thousands of businesses and people around the world. In 2020 cybercrime rates have increased dramatically and it is very likely that the numbers will continue to rise.
This makes it more important than ever to perform regular vulnerability scans and penetration tests to avoid vulnerabilities and ensure that your organizations are protected against cyber attacks. Penetration testing could help bolster existing cyber defenses while keeping the business secure.
Therefore, we spoke to industry experts so that they could shed some light on this topic!
What is penetration testing?
According to the NCSC (National Cyber Security Center), a penetration test is a method of ensuring the security of a computer system by attempting to breach all or part of the security of that system, using the same tools and techniques than an opponent.
To simplify, Scott Cardow, general manager and Jordan carter, Penetration Tester at Precursor Security, explains that a penetration test is a controlled attack against a system, service or application that uses real-world attack techniques, with the aim of finding security vulnerabilities that can affect the ability of organizations to maintain the confidentiality, integrity or availability of its systems and data.
Therefore, it should only be carried out by a suitably qualified Ethical Hacker and is carried out with the authorizations and scope of the assessment agreed with the client.
“Penetration testing should be seen as one of the key elements of an overall security strategy. “
David tyler, Penetration Tester & Cyber Risk and Compliance, adds that Penetration Testing is a hacking assessment authorized by Ethical Hackers where the test is given the clear scope of commitment and goals. This leads to a top-down assessment of risks and vulnerabilities in the target’s environment.
This provides the client with an actionable report that clearly defines risks and weaknesses.
Why is it essential?
Penetration testing is as good as it ever was and can be considered more necessary than ever, Jordan and Scott tell me.
Indeed, the number of cyber attacks against organizations is increasing year by year and various companies of all sizes are targeted by criminal hacking groups or state actors. The approach to security has evolved over the past few years, however, to focus on an overview of security and vulnerabilities as opposed to a singular penetration test is a one-time assessment, and therefore limited in this. which concerns continuous view.
Therefore, by performing a penetration test to identify vulnerabilities in a system / infrastructure, an organization can take steps to address those weaknesses, before a malicious actor (hacker) finds and removes them. exploits for illegal purposes.
David emphasizes that penetration testing should be considered part of the standard process for any change or introduction to a network or code in an application. Every change can lead to major security vulnerabilities for the organization and its supporting infrastructure.
Penetration is only part of the solution, training and introducing best practices from the start is necessary.
Jordan and Scott also stress that penetration testing is a highly skilled business and should only be performed by properly qualified organizations. CRETE (Council for Registered Ethical Security Testers) is a UK non-profit organization, where you can identify reputable cybersecurity consultants and find extensive resources on implementing a successful penetration testing program.
Additionally, they stress the importance of understanding the scope of the assessment you wish to undertake. The best way to do this is to have a conversation with the security consulting firm and make sure that all parties are aware of what is expected, that the test coverage is as expected, and most importantly, that the required permissions are in place.
The best strategies
Penetration strategies may vary from company to company, point out Jordan and Scott, but the fundamentals will remain. They suggest identifying and agreeing on the perimeter, on the test window, on any necessary backups.
The test itself will use a combination of automated and manual aspects and will consist of several steps as follows:
- Collecting information
- Discovery and digitization
- Vulnerability Assessment
- Final analysis and review
- Action on test results
Then, they continue, the consulting firm’s deliverable should provide a detailed report listing the vulnerabilities they found. These are often scored using the CVSS (Common Vulnerability Scoring System) method. Finally, the report should also contain recommendations on how best to remedy the findings, either directly or through compensating checks.
Penetration testing is essentially an ethical hacker using the same methodology and tools that a criminal hacker might use, David points out. This is usually not a real simulation, but rather a method of discovering as many vulnerabilities as possible and how they can be exploited further to gain more information or to dig deeper into a network. Therefore, the best strategy for using penetration testing is not to think of it as a simulation, but to open up the scope and testing as much as possible. Removing any barrier such as the WAF firewall to help the penetration tester uncover vulnerabilities is possible because it is a timed exercise, but a real attack takes as long as it wants.
It’s also best to remember that a test is only a snapshot in time, and when new vulnerabilities and exploits are discovered the risk increases as well. This is why an annual test is recommended.
According to Jordan and Scott, penetration is a great way to establish a baseline and identify where your organization’s cyber defense weaknesses lie.
It is also increasingly requested by purchasing teams when integrating a service or product, with checks to ensure that the service or product they are considering is regularly Pen Tested. In addition, there are also other compliance drivers such as ISO27001, PCI / DSS, among others.
Yet the main benefit of Pen testing is understanding how secure (or not) the test target is. This is essential given that today it is a question of when an attack will occur, not just if.
David also points out that penetration testing can give the organization a bird’s eye view of its infrastructure and the associated risks. This allows for planned fixes and mitigation in place, which tends to be more cost effective than waiting for a real hack to occur and the organization to be compromised.
… And the challenges
The challenges people face with penetration testing often begin with the ability to articulate the value of a test to decision makers within their organization.
Indeed, Jordan and Scott point out that many companies consider themselves too small to be hacked, and do not present an attractive target for hackers. Therefore, they claim that they do not need a Pen test. This is not at all true and even the smallest businesses are now hit with ransomware, indiscriminate scans and automated attacks by hackers looking for quick and easy to exploit targets!
On the contrary, they continue, the challenges of penetration testing at the resource level are common, as most organizations do not have an internal security team qualified in penetration testing.
The initial challenge is to find a consultant who you can trust to do the job to the fullest. Lately, unscrupulous companies have claimed that they are performing Pen Testing, when in fact all they are doing is an automated vulnerability scan (which is obviously not a Pen Test!).
In addition, there are also many technical challenges which may vary depending on the type of test performed. An external web application test is quite different from an internal infrastructure test for example and requires different knowledge and skills.
They point out that testing is best done in representative environments of the Live domain, but that this is often not available, so again, the challenge for the Pen tester is to perform the test in a controlled manner, without impacting the user. service. It is a common misconception that Pen testing seeks to “break out” a system. This is not the case, and in fact a primary goal should be to do no harm!
David adds that some organizations think you only need to do it once. But as hacking tools improve and more vulnerabilities emerge, new avenues of attack are always found. Therefore, it should be used as part of continuous improvement and not on an ad hoc basis.
The future of penetration testing
Jordan and Scott both believe penetration testing will evolve in the years to come, but will remain fundamentally a key part of a strong overall security program.
“Defense in depth is key to staying as safe as possible, and a penetration test will continue to be part of those efforts.”
David believes security testing, in general, will become more important as governments impose tougher penalties for compromising customer data. Organizations will then need to decide how best to embed security in their lifecycle and corporate culture.
Special thanks to Scott Cardow, Jordan Carter and David Tyler for their insight on the subject!