Penetration testing guide
It’s no secret that the frequency of cyber attacks is increasing, and this, therefore, means an increased need for penetration testing. But what is penetration testing, and how does it lend itself to improving the overall cyber security of your business?
What is penetration testing?
Penetration testing is carried out by specialist security testers who conduct a controlled and simulated attack on a distinct area of your systems, such as a network, device or web application to find weaknesses before any breach has occurred.
The pen tester, or ethical hacker, would try to identify possible vulnerabilities within your network which are exploitable and a risk to your business. By doing this, they can simulate the experience of a cyber attacker where they would then use this sensitive information to elevate their admin privileges or take complete control of your business network.
Building an appropriate penetration testing programme is a vital step towards ensuring your organisation’s security measures are efficient, robust, and will protect your business from a data breach.
Does my business need penetration testing?
The short answer is yes. If your business has a computer system or a website offering services to the public, penetration testing will identify vulnerabilities in your system before cyber criminals can. Whatever the size of your business, pen tests are important to ensure your sensitive information is protected against all types of malware and ransomware attacks.
Cyber attacks can cause many financial losses that organisations aren’t initially aware of. In the majority of breaches, there is normally GDPR-type data that is stolen, and this is where businesses will suffer reputational damage, as well as fines and lost earnings from network downtime. Penetration tests help eliminate these risks while also meeting compliance and regulatory requirements, such as ISO 27001.
If your machine is found to be on the internet and vulnerable, then someone at some stage is going to try to exploit it.
Richard Hughes | Head of Technical Cyber Security
A&O IT Group
What are the types of penetration tests available?
This is where the security tester will begin with no prior knowledge of a network or specific brief, which is designed to simulate the approach of real-world hackers.
While it is the most realistic form of pen test, you won’t necessarily find vulnerabilities as quickly because the pen tester is uncovering what they can find as they go.
With white-box testing, your pen tester will have privileged information about your network and will have agreed on some areas of focus with you prior to the test.
This will result in a quicker and often deeper understanding of your vulnerabilities, and ultimately will give the most value.
Grey-box testing sits somewhere in the middle where your security tester will work with limited information, such as the topography of your network to uncover critical issues like admin access.
What are the standards for penetration testing?
Depending on the size of the individual organisation, penetration tests should generally be carried out at least once a year. However, if you’re in a sensitive environment such as banking or finance, or if you’re a large manufacturing company that often integrates new technology into your network, it’s likely you will need to carry out a penetration test at least twice a year.
Your company may also need to comply with specific security regulations, for example, businesses that have to maintain the Payment Card Industries Data Securities Standard (PCI DSS), which will dictate the need for a pen test every six months.
If companies deploy any new infrastructure or applications, or make any changes (to firewall rules, updating of firmware, patches and upgrades to software), a penetration test should be carried out to ensure no new security risks have made their way into your systems.
It’s important to reach out to a qualified penetration testing service provider, registered to a standard body such as CREST, that can give you bespoke advice about your organisation and its requirements.
What are the causes of vulnerabilities to your network?
Companies face on average 1,185 phishing attempts every month, and without sufficient security awareness training, coupled with the fact that many people are now working from home, it’s much easier for hackers to manipulate employees to carry out damaging actions or divulge sensitive information.
A reputable cyber security service specialist would work with your bespoke requirements and that includes re-educating staff on the importance of cyber awareness.
Another culprit of system vulnerability is security misconfiguration. Where companies move from test systems and production systems and do not have a configuration management system in place. By attempting to manually configure your systems, mistakes can easily be made, for example, not checking an important tick box or selecting too weak cyphers for your web server.
It’s incredibly easy to miss those deep technical points which will likely lead to a significant vulnerability to your network.
Unsecured networks can also be incredibly damaging to the cyber security of your business. Without this important protection, any user on your network can be exposed to malware.
It’s also important to ensure every computer accessing your network is up-to-date with their antivirus software, VPN, and also that they’re using the corporate network rather than the guest network.
What is included in a penetration test report?
After your penetration test has been carried out, you will receive an in-depth hard copy report which contains a list of all the vulnerabilities that have been discovered. You will be able to see the details of each vulnerability, why it’s a problem and a description of what you need to do to remediate this.
Included in your report would also be a higher-level summary to provide an understanding of the security posture of whichever application or environment was being tested. This may be particularly useful for management or C-suite level and would be jargon-free, solely focusing on what was found and the risks it poses.
At A&O IT Group, we also include a traffic light system, using low, medium, high and critical to describe the risk posed specifically to your business. Our experts would consider the impact and risk to your particular organisation, and we would work with you directly, having conversations and setting up sessions with your internal teams to mitigate these vulnerabilities.