Penetration testing and red teaming are vital tools in the fight against cybercrime – how can you use them safely in your business?
A crucial part of cyber security testing is breach testing. But due to its intrusive nature, it throws up ethical considerations and can be unpopular with employees. Covert operations can be particularly controversial and must be performed with care to make sure they are ethical, secure, appropriate, and constructive.
What are pen testing and red team testing?
Penetration testing (or pen testing for short) and red team testing are different forms of security testing performed by cyber security firms to find weaknesses in a client’s cyber security, to advise them and to mitigate these gaps.
Penetration testing aims to reveal security vulnerabilities in a system in a controlled and safe way. The testing usually focuses on specific targets, such as a website, external infrastructure, a particular office or mobile applications. This kind of testing helps organisations assess their current system security and evaluate the strength and efficiency of their security strategies.
Many advanced persistent threats (APTs) rely on poor security hygiene. In the latest US Center for Internet Security (CIS) Critical Controls, penetration testing is listed as a vital control against the most common threats from hackers, empowering organisations to “test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and simulating the objectives and actions of an attacker.”
Pen tests are usually carried out using a mixture of techniques. This includes semi-automated techniques such as vulnerability scanning, fuzzing (injecting invalid, malformed or unexpected inputs into a system) and port scanning to identify potential areas of weakness, combined with manual exploitation and investigation. This approach not only highlights weaknesses, but also helps to identify the level of risk associated with these weaknesses.
Red team testing is a more holistic approach to security testing. It looks at the organisation as a whole to identify weaknesses in areas like an HR or payroll system, to test an organisation’s detection and response capabilities. This type of test can also involve a blue team trying to defend the system. The distinguishing feature of a red team test is the element of surprise: the defending in-house blue team has no advance warning and treats the attack as a genuine threat, providing a real-world test of the effectiveness of a company’s security.
Pen testing and cyber security ethics
When allowing a cyber security company to conduct penetration testing against your firm, you’re potentially exposing personal data and sensitive information. As with any service, third party penetration testers can range from ultra-professional and secure to mediocre, or, at worst, lacking skill or actively being corrupt. That’s why it’s so important that you check the credentials of your chosen provider, to satisfy yourself that they are ethical and professional.
A low-quality provider could miss certain vulnerabilities or weaknesses or damage important information. Even worse, a corrupt provider could reveal or abuse sensitive information for their own financial gain.
Red teaming and cyber security ethics
Employees of companies are often opposed to red team testing, finding it intrusive and threatening. The fact that external organisations deliver it seems particularly problematic: a survey reported by IT Pro revealed that employees were happier to conduct red team-style testing themselves, targeting colleagues, than to be on the receiving end of an external programme. Working with a reputable testing partner, who can help reassure staff and explain the purpose of the testing, can help to mitigate this challenge.
What to look for in a testing partner with strong cyber security ethics
With these risks in mind, take care when choosing a third-party partner to conduct either of these operations. There’s a variety of industry schemes that provide reassurance about the professionalism of a firm. The National Cyber Security (NCSC) CHECK accreditation or the CREST accreditation give reassurance that the cyber security specialist organisation employs skilled testers and has secure credentials and robust methodologies. CREST or Cyber Scheme Team Leader (CSTL) certifications demonstrate that individual testers meet high professional standards for pen testing. You can find out more about the value of external pen testing credentials in our separate blog.
For public sector and other highly regulated organisations, proof of HM Government security clearance is also vital. It offers assurance that the people you’re hiring are trusted to handle the most sensitive data.
Communication is key to maintaining employee confidence
Even with a highly trusted and expert cyber security partner, many employees find security testing intrusive, especially red team testing that’s launched covertly. Communication is key. While you need to make sure that red teaming is carried out in real world conditions, you can brief and educate staff about the principles of your cyber security testing, so they understand its purpose and value.
We strongly advocate training and awareness for all employees covering cyber security best practice and their individual responsibilities for keeping data, technology and systems secure. A general briefing about cyber security testing and what your firm does could form part of this. That means everyone understands that red team testing and pen testing help to keep employee data, customer data and commercially sensitive data and communications secure, so everyone is protected.
It’s a good idea to have a documented cyber security policy, with clear rules of engagement that define what kind of invasive testing can be carried out. Describe how your organisation maintains confidentiality and ensures that the partner carrying out the testing is trustworthy and experienced.
The bottom line
You should always carry out intrusive testing in a responsible and ethical way, to protect your staff, customers, data and assets.
The ethics of cyber security testing are more challenging than you might think. Penetration testing and red team testing are both important weapons in the fight against cybercrime, but they’re only truly effective when carried out by a trusted and professional provider as part of a comprehensive and continually updated cyber security strategy, including staff training and communication.
To protect your business, work with a trusted and fully certificated provider like us. The cyber security team at Six Degrees can give you advice to suit your organisation and deliver cyber security strategy, implementation, testing and monitoring services to the highest industry standards. Get in touch with our experts to see how you can protect your organisation in an ethical, effective and secure way.
Subscribe to the newsletter today
Spend five minutes in the cyber security world,…