With the shift to remote working and companies left more vulnerable than ever, cyber-attackers have used this opportunity to take advantage of thousands of enterprises and people all across the world. In 2020, the rates of cybercrime increased immensely, and it is very likely that the numbers will continue to rise.
It is then becoming more important than ever to undertake regular vulnerability scans and penetration testing so as to avoid vulnerabilities and make sure that your organisations are protected against cyberattacks. Penetration testing could help enhance the cyber defenses in place all the while ensuring the safety of the company.
Hence, we have talked to experts in the industry so they can shed light on this topic!
What is penetration testing?
According to the NCSC (National Cyber Security Centre), a Penetration test is a method for gaining assurance in the security of an IT system by attempting to breach some or all of that system’s security, using the same tools and techniques as an adversary might.
To simplify it, Scott Cardow, Managing Director, and Jordan Carter, Penetration tester at Precursor Security, explain that a penetration test is a controlled attack against a system, service, or application using real-world attack techniques, with the aim of finding security vulnerabilities that may affect the organisations’ ability to maintain confidentiality, integrity or availability of its systems and data.
This is why it should only be performed by a suitably qualified Ethical Hacker and is done with the permissions and scope of the assessment agreed with the client.
‘Penetration test should be considered as being one of the key parts of an overall Security strategy.’
David Tyler, Penetration Tester & Cyber Risk and Compliance, adds that Penetration Testing is an authorized hacking assessment by Ethical Hackers where the test is given the clear scope of engagement and goals. This leads to a top-down assessment of the risks and vulnerabilities in the target’s environment.
Doing so provides the client with an actionable report which clearly defines risks and weaknesses.
Why is it essential?
Penetration Testing is as valid as it ever was and can be argued as being more required than ever, Jordan and Scott tell me.
Indeed, the number of cyberattacks on organisations is increasing year on year and various businesses of all sizes are being targeted by criminal hacking groups or nation-state actors. The approach to security has evolved over the last few years, however, to focus on having a year-round view of security and vulnerabilities as opposed to a singular Penetration Test is a point in time assessment, and therefore limited as regards ongoing view.
Hence, by performing a Penetration test to identify the vulnerabilities in a system/infrastructure, an organisation can take steps to remediate these weaknesses, in advance of a bad actor (hacker) finding and exploiting them for illegal purposes.
David underlines that penetration testing should be considered a part of the standard process for any changes or introductions in a network or code in an application. Every change can result in it large holes in the security of the organisation and its supporting infrastructure.
Penetration is only a part of the solution, training and the introduction of best practices from the start are necessary.
Jordan and Scott also point out that Penetration Testing is a very highly skilled undertaking and should be done only by suitably qualified organisations. CREST (Council for Registered Ethical Security Testers) is a UK not-for-profit organisation, where you can identify reputable cybersecurity consultancies and find lengthy resources on implementing a successful penetration testing program.
Further, they emphasise the importance of understanding the scope of the assessment you wish to undertake. The best way to do so is by having a conversation with the security consultancy and making sure all parties are aware of what is planned, that test coverage is as expected, and importantly that the required permissions are in place.
The best strategies
Penetration strategies can vary from one company to another, Jordan and Scott underline, but the fundamentals will remain. They suggest identifying and agreeing on the scope, on the test window, on any back-ups, which are required.
The test itself will utilise a combination of both automated and manual aspects and holds several steps as followed:
- Information Gathering
- Discovery and Scanning
- Vulnerability Assessment
- Final Analysis and Review
- Action the Testing Results
Then, they continue, the deliverable from the consultancy should give a detailed report listing the vulnerabilities they found. These are often scored using the CVSS method (common vulnerability scoring system). Finally, the report should also contain recommendations on how to best remediate the findings, either directly or via compensating controls.
Penetration Testing is essentially an Ethical Hacker using the same methodology and tools that a criminal hacker might use, David points out. It is not usually an actual simulation but rather a method to discover as many vulnerabilities as possible and how they can be exploited further to gain more information or get deeper into a network. Hence, the best strategy in using Penetration testing is not to view it as a simulation but to open the scope and testing as much as possible. Removing any barrier such as the firewall of WAF to help enable the Penetration Tester in discovering vulnerabilities is possible due to the fact it’s a timed exercise, but a real attack has as much time as they want.
It is also best to remember that a test is only a snapshot in time and that when new vulnerabilities and exploits are found so too can the risk. Hence, this is why annual testing is recommended.
According to Jordan and Scott, penetration is an excellent way to establish a baseline and to identify where weaknesses reside within the cyber defense of your organization.
It is also more and more frequently mandated by procurement teams when onboarding a service or product, with checks to make sure the service or product they are considering is regularly Pen tested. Besides, there are also other compliance drivers such as ISO27001, PCI/DSS amongst others.
Yet, the main benefit Pen testing brings is an understanding of how secure (or not) the test target is. This is critical considering that in current times it is a case of when an attack will happen, not just if.
David also emphasises that penetration testing can give the organisation a top-down overview of its infrastructure and associated risks. This enables planned fixes and mitigations to be put in place, this tends to be more cost-effective than waiting for a real hack to happen and the organisation being compromised.
… And the challenges
The challenges people find with Penetration Testing often start with being able to articulate the value of a test to decision-makers within their company.
Indeed, Jordan and Scott point out that many companies believe themselves to be too small to be hacked, and do not present an attractive target to hackers. Therefore, they claim to not feel they require a Pen test. This is not true at all and even the smallest of companies are now being hit with Ransomware and indiscriminate scanning and automated attacks by hackers looking for quick and easy targets to exploit!
On the contrary, they continue, challenges in Penetration Testing at a resource level are common, in that most organisations do not have an in-house security team qualified in Pen Testing.
The initial challenge is to find a consultancy you can trust to do the work fully. Recent times have seen some unscrupulous companies claiming they are doing Pen Testing, when in fact all they are doing is an automated vulnerability scan (which is obviously not a Pen Test!).
Moreover, there are also many challenges at a technical level that can vary depending on the type of test being performed. An External Web Application test is quite different from an internal Infrastructure test for example and requires different knowledge and skills.
They underline that testing is best performed in environments, which are representative of the Live estate, but this is often not available, so again the challenge for the Pen tester is to perform the test in a controlled manner, without impacting any service. It is a common misconception that Pen testing seeks to ‘take out’ a system. That is not the case, and in fact, a primary objective should be to cause no harm!
David adds that some organisations believe having it done once is enough. But as hacking tooling is improving and more vulnerabilities are appearing, new avenues of attack are always being found. Therefore, it should be used as part of continual improvement and not as a one-off.
The future of penetration testing
Jordan and Scott both believe that Penetration Testing will evolve in the years to come but will fundamentally remain as a key component of a strong overall security program.
‘Defence in depth is critical to remaining as secure as possible, and a Penetration Test will continue to form part of those efforts.’
David thinks that security testing, in general, will become more important as Governments impose stricter punishments should there be a compromise of customer data. Organisations will then have to decide how best to engrain security into their company lifecycle and culture.
Special thanks to Scott Cardow, Jordan Carter, and David Tyler for their insights on the topic!