In a recent edition of “Insights”, we discussed the importance of regularly conducting a penetration test on your systems – as a method for gaining a measure of assurance in respect of your organisation’s vulnerability assessment and management processes. Much like a financial audit, a penetration test is designed to measure the level of technical risk arising from the software and the efficiency of your current security controls.
Lets remind ourselves of a key takeaway from the previous edition, in terms of why every organisation should consider penetrating testing:
- Testing organisations assess their security posture by providing them with detailed information about potential vulnerabilities in their network. This information can then be used to patch up any flaws before they can be exploited by malicious actors.
- It allows them to stay one step ahead of attackers as they will identify any new threats quickly and take action accordingly. This proactive approach ensures that their data remains secure from harm.
- A penetration test allows them to understand their attack surface area so they can better prepare for future cyber-attacks and respond more efficiently if an incident does occur. Knowing which components of the system could be targeted gives them a much better chance of defending themselves from attack than if they waited until after the fact.
- In some industries, penetration testing is a requirement as part of compliance this is particularly relevant in the Healthcare industry when working with the National Health Service (NHS) through digital services or as part of Cyber Essentials Plus certification.
However, while the above benefits seem fairly straightforward – there are a variety of penetration testing methods that can be carried out, to achieve those goals and objectives.
As such, it is important to understand what they are and the objectives they suit best – to ensure that when your organisation invests in penetration testing, the money is well spent and your core objectives are met.
In this special double edition of Insights (Part 2 to follow soon), we`ll examine the different kinds of penetration testing – and examine in which scenario each is best put to use.
Why carry out a penetration test at all?
No plan or procedure, regardless of its context, can ever be fully relied upon to be fit for purpose – until one of two things happen:
- It is deployed in real life, with negative consequences to your organisation and its people if it fails, or
- It is proactively tested in a safe and secure way, by experts, to assess its robustness and capacity to defend your organisation in the face of a real life attack
This is why your cyber security defences should be tested regularly, by experts, to give you confidence that the products and security controls tested have been configured in accordance with good practice – so that in the event of a real-life cyber-attack, your organisation has sufficient defences in place to:
- Repel the attack, and
- Recover appropriately, with the minimum impact on your operations, customers, staff and stakeholders
The big question?
What kind of penetration test (or tests) does your organisation need to invest in?
Type of Penetration Test
In Part 1, we`ll focus on 5 types of penetration testing methods – all of which are technical in nature. The human side of penetration testing will feature in Part 2:
- Web Application
- Internet of Things (IoT)
- Mobile App
- 73% of successful breaches in the corporate sector were carried out by penetrating web applications through their vulnerabilities (Source: Astra Security)
- According to the Ponemon Institute, 1 in 5 companies do not test their software for security vulnerabilities
- Only 5.3% of cyberattacks against financial institutions are successful, but that is because the financial sector was full of early adopters of penetration testing and cybersecurity (Source: ERM Protect)
- The top 3 areas of focus for penetration tests are servers, web applications, and databases (Source: Astra Security)
- Only 32% of organizations said they conduct a pentest annually or bi-annually (Source: Astra Security)
- In 2021, 75% of penetration tests revealed a “medium risk flaw”; in 2019 it was 20% (Source: Bulletproof)
Types of Testing Methodology
Below we take a deeper dive into technical penetration testing, examining the logic and benefits of each test-type – and in what kind of scenario they are most effective.
Network Penetration Testing
Perhaps what most of us have in mind when we hear the phrase “penetration testing”, network infrastructure penetration testing is a robust and in-depth assessment of the security of your business network and systems. The objective is to identify any cyber security vulnerabilities that could be used to compromise your on-premise and/or cloud environments.
With your permission, experts carry out a simulated attack on your network, from an external and internal attackers perspective, designed to both identify any vulnerabilities and to assess the effectiveness of your technical security controls.
The results provide invaluable insights and a hugely beneficial basis for improving your defences.
Web Application Penetration Testing
A web application penetration test is designed to identify security vulnerabilities in your application which is accessible over the internet and may be available to customers as a product or a service, the purpose of this is to confirm your application is secure and its integrity, availability and confidentiality of data cannot be compromised.
Testing your organisation in this way can help to identify security vulnerabilities in your databases, source code, and backend networks. Once identified, the test supports with prioritising next steps – and with the best solutions for closing gaps and (in turn) reduces your risk.
Wireless Penetration Testing
The objective of wireless penetration testing is to test your organisations wireless (WiFi) security configurations, as this would be one of many methods a hacker may use in order to gain access to your organisation and its assets.
The test will usually examine the networks you have in place, the strength of their security and which devices connect to them.
The wireless tests are a crucial element of the overall penetration testing process, as it represents an attractive route for hackers who wish to access and/or harm your organisation.
Once completed the test will prioritise configuration recommendations to secure the wireless network against the risks identified.
IoT Penetration Testing
Another key focus of your testing strategy, due to a growth rate that suggests IoT devices now make up 30% of total devices on business networks. While providing great benefit to both your employees and customers – IoT devices also bring with them significant risk.
The Internet of Things (IoT) is already changing the world around us, both in our personal lives and in how we do business – delivering an expected $13 trillion in economic value in the next 10 years (McKinsey Study).
“IoT” is defined as the network of physical objects (things) that are embedded with sensors, software, and other technologies – for the purpose of connecting and exchanging data with other devices and systems over the internet. That level of connectivity and risk, with an expected 22 billion devices in use by 2025, makes the IoT a very attractive target for cyber criminals.
On that basis, we recommend that testing is carried out on any device that will be connected to a network, as part of business operations. Any IoT device deployed within your organisation represents a risk both financial and reputational, and the evaluation delivered by an IoT penetration test will help to identify any misconfigurations, along with remediation actions to ensure your security framework is more secure.
Mobile App Penetration Testing
If your organisation has developed and provides a mobile application to either your customers or staff, a test of its security standards will be an essential addition to your overall cyber security strategy.
Apps provide convenience and enable us to be more productive in our daily lives, which means our mobile device becomes an ever more essential part of our daily lives and business operations. As in many examples, “convenience” often comes hand in hand with increased risk – and because apps process such high volumes of data, they are a very popular target for cyber criminals.
A recent study suggested that approximately 60% of organizations that have suffered data breaches could trace the incident back to an insecure mobile application (app). It is critical therefore to ensure that your mobile app is able to repel attacks, with penetration testing the most effective way to check its defensive capabilities.
Our colleagues at the National Cyber Security Centre (NCSC) quoted in a recent article:
“Penetration testing is a core tool for analysing the security of IT systems, but it’s not a magic bullet.”
That does not make testing any less crucial, but it does remind us that there is no 100% guarantee that investment in cyber security can or will defend any organisation against attack. What it can and will do, is to shine a spotlight on any gaps in your defence that can be subsequently close, and in turn reducing both the risk of cyber-attack – and reducing the impact should one occur.
Primarily, penetration tests are crucial to an organization’s security – because they serve as a useful tool for examining whether an organization’s security policies are genuinely effective.
Proper scoping and context are key to investing wisely, and to add value every step of the way. We strongly recommend that your investment in penetration testing is in proportion to your risk, and that you use a reputable and experienced provider.
In Part 2 of our deep-dive into Penetration Testing, we will examine the more “human-led” types of testing methodologies:
- Social Engineering (Phishing, Smishing and Vishing)
- Red Teaming