What is Penetration Testing?
Cybersecurity should be front of mind for every organisation, especially in the wake of the current global pandemic. Our ways of working have changed immensely, with a surge in the volume of remote workers using different networks, devices, and platforms. Meanwhile, our businesses are using cloud computing and IoT technologies to facilitate new ways of working, reduce costs, and improve performance. The result is that the attack surface has increased, and with that comes an increase in the volume of cyber threats.
Cybercrime has been constantly rising over recent years with attacks becoming more frequent, varied, and sophisticated. The numbers speak for themselves. The Ponemon Institute’s 2019 data breach report showed the average cost of a breach to be a huge $3.92 million with costs lasting for years after the attack. Penetration testing mimics these cyberattacks, testing the security of an organisation and its ability to fight back. In this blog, Security Practice Director, Saaim Khan explains what penetration testing is, the different types of testing, and the benefits to an organisation.
What is Penetration Testing?
Penetration testing, otherwise known as pen testing, is a simulated cyber-attack. While every organisation will have security defences in place, they are often not tested until it’s too late – when a cybercriminal undertakes an attack. Penetration tests aim to:
● Discover weaknesses in infrastructure, applications, and people.
● Discover whether implemented controls are effective.
● Discover new bugs in existing software.
Ultimately, penetration testing is a security exercise that aims to identify weak spots that cyber threat actors could take advantage of. Once identified, it gives businesses the chance to remedy or patch these weaknesses and implement new security policies to ensure they are operating with an acceptable level of risk and in line with regulations and industry standards.
How is Penetration Testing Achieved/Performed?
Pen tests are generally carried out by outside contractors who have little knowledge of the system or organisation in question as they are more able to expose blind spots. Penetration testers, otherwise known as ethical hackers, can be experienced developers/security consultants or reformed criminal hackers. Regardless of who is carrying out the test, however, the process will include planning, reconnaissance, gaining access, and analysis.
After completing a penetration test, the ethical hacker will share their findings with the target company’s security professionals. The information can be used to improve security, patch vulnerabilities, and enforce tighter policies.
The Different Types of Penetration Testing
While all penetration testing follows stages of reconnaissance, attack, and analysis, there are different methods that can be used. This is, ultimately, the planning phase of a pen test, where the scope and testing methods are decided upon. The key types of penetration testing include:
- External testing – targeting a company’s external-facing assets such as the company website, email, and domain names servers. The aim is to assess the effectiveness of a company’s firewalls and other intrusion-prevention systems.
- Internal testing – targeting an application behind a company’s firewall, imitating an insider attack within the company’s internal network. The aim is to determine how much damage a disgruntled employee or malicious actor with stolen employee credentials could cause.
- White box testing – targeting a company with some information ahead of time regarding the target company’s security information. The aim is to simulate a malicious insider who has knowledge of the target system.
- Black box testing – targeting a business blindly with only the business name as a starting point. The aim is to imitate a real-time assault.
- Covert testing – targeting a business double-blind with no background information and the majority of the company, including the security professionals, having no prior knowledge of the attack. The aim is to simulate a real-world situation where the company isn’t expecting the breach to take place.
- Targeted testing – targeting a business with the security personnel’s knowledge, working together, and explaining each other’s movements. The aim is to create a valuable training exercise with real-time feedback from a hacker’s viewpoint.
The Benefits of Penetration Testing
According to PWC’s Global State of Information Security Survey, only 38% of organisations are prepared for a sophisticated cyber-attack. When this is coupled with the astoundingly high average cost of today’s data breaches, companies need to prepare themselves. By employing the services of pen testers, organisations can gain a fresh opinion, implement a combination of methodologies to simulate attacks, gain remediation advice, and fully evaluate their risk exposure to make informed business decisions.
Penetration testing is one of the most effective ways for companies to truly discover the vulnerabilities in their organisation and its security systems. However, pen testing isn’t a one-off activity, the cyber landscape is constantly evolving, and threats are becoming ever more sophisticated. Penetration testing should be used regularly to ensure cyber controls are working.
Until the end of June 2020, we will be running an exclusive offer on our Security Assurance services, including Penetration Testing. To find out more and assess the vulnerabilities in your security systems, get in touch today.
To understand a bit more about InfoTrust’s Security Assurance services click here.
see our
Related resources
In today’s digital age, we all use a vast amount of information to conduct our business activities, sharing, and interacting with data across multiple devices and networks. As such confidentiality, integrity and availability are key. You only have to look at recent news headlines to realise that even organisations with comprehensive security strategies are still vulnerable to cybersecurity breaches. Vulnerabilities can lie within the technology being used, the cyber-awareness of its employees, and the sophistication of attacks.
There are images of extensive, verbose documents, complex definitions, and eye-watering Excel sheets when the term GRC is mentioned. For the past two decades, GRC has been central to core business processes across many organisations at both ends of the enterprise spectrum, as well as in the small-to-medium business space in recent times.
But the world has moved on; organisations are forced to embrace digital disruption and agility if they haven’t done so whole-heartedly. And this very disruption is positioning GRC to become less-than-ideal to solve the challenges that said disruption brings with it.
Phishing attacks have increased dramatically over the last few years, with the global pandemic escalating the situation further. Cybercriminals take advantage of insecurities and fear and play on human nature to trick and deceive. In fact, according to the OAIC, phishing attacks that involved compromised credentials accounted for 30% of all cyber incidents in the first half of 2021. And human error formed a major source of these breaches. Unfortunately, due to the clever social engineering tactics used by cybercriminals, technical filters alone aren’t sufficient to protect against phishing.
Mimecast recently released its State of Email Security Report for 2021. The fifth edition of its annual report used interviews with over twelve hundred of information technology and cybersecurity professionals across the globe to gather vital cybersecurity insights. The report offers an insight into the latest email threats along with advice on how to build cyber resilience and mitigate the risks of email-borne attacks.
Secure Access Service Edge, better known as SASE (pronounced sassy – yes that is right) was one of the new security terms on the block in 2019. But it’s actually been around for some time, just without its official moniker. It is expected that by 2024, at least 40% of enterprises will have strategies in place to adopt SASE, according to Gartner.
In this post, Cloud Security Engineer, Will Michail takes a look at why its popularity is increasing now, what the term means and how vendors and organisations are utilising it to enable digital transformation.
We're Here To Help