Around 88% of all companies in the UK and Europe have suffered cyber security breaches in the last twelve months alone, and the public sector is under just as much threat.1
Perhaps more worryingly, the average cyber security breach takes around 280 days to identify and contain.2 Even a minor security breach can become a major issue if left to fester unaddressed.
The threat landscape never stands still. New threats, technologies, techniques and tactics are emerging daily. Pair these developments with the challenges of remote and hybrid working, and the increased reliance on BYOD, and it’s become critical for many organisations to rethink best practices. What’s needed is greater visibility over more robust and flexible solutions.
Penetration testing is a critical tool for the identification of vulnerabilities and assessment of how current defensive measures stand up against evolving offensive capabilities. Both regular and periodic pen tests of different kinds should be deployed within your cyber security strategy. In this article we’ll discuss penetration testing as a concept, look at some of the various forms it can take, and explore the importance of these proactive security strategies to positive cyber security outcomes.
Additional resources: Gaining the support and resources necessary to engage in proactive cyber security measures like pen testing isn’t always straightforward. If you want help explaining the value of cyber security within your organisation, check out our Board Presentation Toolkit: Cyber Security and Threat Management.
What is Penetration Testing?
Penetration testing (or pen testing) is best understood as an authorised, simulated cyber-attack on a system or network-wide IT infrastructure. The aim of pen testing is to uncover weaknesses in a security system before malicious entities can. Pen tests can be roughly broken down into a number of steps:
- Initial reconnaissance: Security capabilities of a network or system are assessed and analysis of a site or application codes are probed for potential responses.
- Analysis and planning: In light of this probing, pen testers will determine what cyber-attacks are viable, and whether these intrusions can be maintained (a persistent malicious presence, for example, allows in-depth access and greater damage).
- Testing: Attacks will then be carried out by the pen testers. The types of attack will depend on the insights of previous stages, but can involve things like harvesting data and escalating internal privileges.
- Remediation: These attacks provide a more precise picture of an organisation’s vulnerabilities. Pen testers will then augment the efforts of an organisation’s security and IT teams and capacities, secure vulnerabilities, and if necessary, re-run the pen testing process.
The Importance of Pen Testing
The extreme likelihood and potential severity of a cyber-attack is not something that should be overlooked. Past security doesn’t negate future vulnerabilities, and pen tests are designed to patch older and newer weaknesses alike. Pen testing allows you to:
- Identify areas for improvement: Pen tests let you determine which kinds of security weaknesses are present in your organisation, as well as individual implications of these weaknesses.
- Know your enemy: Develop a clearer understanding of how best to handle malicious cyber entities as and when they occur.
- Account for vulnerabilities: Ensure post-patching that the controls implemented actually secure isolated vulnerabilities.
- Be compliant: Satisfy (once secure) any legal cyber security requirements associated with your industry, granting an added peace of mind to future operations.
- Realign your organisation: Focus on doing what you do best! An investment in cyber security allows you to improve your working methods, enhancing commercial outcomes.
Simply waiting for an attack to occur in order to then respond is both an outdated and dangerous approach. Proactive cyber security in the form of pen testing represents an active shift away from this way of thinking, and moves more towards a security approach that can pre-empt and deal with increasingly sophisticated intrusions.
Different Types of Pen Testing
Pen testing comes in various forms, with each providing its own benefits to organisations. Here we’ll briefly discuss five different types of pen testing.
- Web application: Pen testing here, unsurprisingly, is designed to uncover the weaknesses of web applications. This form of application-based pen testing is also partially related to mobile applications, which is particularly important given the steady rise of mobile applications and operating systems within organisations.
- Client applications: This form of pen testing aims to discover security flaws on the client’s side of things. Vulnerability testing here encompasses things like web browsers and email applications, but of course extends to whatever programmes the client is using.
- Wireless security: Wireless pen testing focuses on Wi-Fi networks and all devices (smartphones, laptops, etc.) connected to it. The standout feature of these tests is that they also centre around connections between devices, ensuring secure connections with focus on things like encryption and configuration — crucial for BYOD operations.
- Social engineering attempts: Here testers attempt to manipulate employees into providing sensitive information. Common methods are things like phishing, but can also include workspace eavesdropping and posing as other employees. Given the tendency for human error, it’s important to assess how employees might be exploited and to train and patch accordingly.
- Physical testing: This form of testing simulates physical security threats. Pen testers here look to infiltrate an organisation’s infrastructure, networks, and devices by overcoming physical barriers. Threats like this are more common than you might think, something truly holistic security measures should take into account.
Though pen testing is designed to enhance an organisation’s IT and security infrastructure, sometimes effective testing requires that the organisation has varying levels of input in the penetration process. Briefly consider three levels of variation:
- Black box pen testing: Here, pen testers are given extremely limited information about an organisation’s infrastructure. One considerable benefit of black box testing is that it best resembles real-world attacks conducted by mostly uninformed actors.
- White box pen testing: Testers are granted full access to the features of IT infrastructure. Though this might be less realistic than black box testing, the white box pen tester can deliver a more thorough analysis of your organisation’s vulnerabilities.
- Grey box pen testing: A combination of the above. Testers having partial insight into networks and infrastructure might be best suited to test more specific weaknesses.
Some organisations will require a near total mixture of these methods, whereas other organisations might only need a select few for their security purposes. It’s important to tailor these methods to your organisation specifically.
Suggested reading: For further information on the nuances of penetration testing see our blog — Penetration Testing Best Practices in 2021
You Need to Go Beyond Pen Testing Basics
Standard pen testing is obviously superior to just waiting for the next attack. However, there are more sophisticated approaches that combine a number of elements discussed so far — and can take your pen testing outcomes to the next level. This methodology is often called red teaming, and seeks to replicate a real-world attack in great detail.
- Standard pen tests: Standard pen testing operations locate where you might be attacked in relation to your network, application, and device security. Focus then turns to likely attacks, how good your security is at repelling these attacks, and how severe — if breached — these attacks will be. As we’ve seen, the goal here is to identify and remedy weaknesses.
- Red teaming: Red team pen testing has narrower objectives, and seeks out these objectives using a wider-range of techniques. For example, a red team attack might include a combination of network service attacks and social engineering attacks in order to simultaneously assess vulnerabilities. Similarly, the relevant organisation is often not notified in advance — adding to the realism of the simulated attack. Subsequent attacks are stealthier, and provide deeper insight into realistic risks and vulnerabilities.
The importance of each
Though red teaming can be characterised as a step above standard pen testing methods, the combination of both is best suited for optimal results. Standard penetration testing offers a broad view of security issues, whereas the narrower objectives of red teaming provide a deeper understanding (rather than breadth) and propose specific actionable insights.
Opting for red team pen testing after standard testing (and a patching of vulnerabilities) will reveal precisely how watertight an organisation is when faced with attacks resembling real-world threats. Successful combination of the two approaches provides:
- A broad and deep view of security issues.
- An accurate understanding of how your organisation will respond to real attacks.
- The ability to develop proactive strategies for attacks — again, crucial in the context of the evolving cyber threat landscape.
- Higher returns on security investment. By avoiding the consequences of breaches you’ll be better suited to focus on commercial outcomes.
Despite the wealth of benefits that pen testing can provide, any robust pen testing strategy (particularly those which factor in more in-depth red teaming approaches) requires individuals with expertise and knowledge, alongside both time and resources.
Getting Help Can Ensure the Outcomes You Need
Pen tests identify a wide range of vulnerabilities and offer proactive solutions for remedying them. This brings a great deal of utility to organisations who not only wish to remain secure in the continually developing threat landscape, but who also wish to enhance their commercial operations and returns on security investment.
But as we’ve established, the most effective forms of pen testing require the right tools and the right kinds of talented teams operating these tools. Partnering with a cyber security service provider can allow you to have expertise on-demand, and only the skills and technology which you actually need.
At Six Degrees, we’ve been helping organisations confront cyber security challenges for over 15 years, and while cyber threats are always developing, our experience and industry presence is testament to our ability to stay ahead of emerging threats. Our use of expert pen testers and automated systems provides vigorous security measures, all while offering flexibly deployable resources — lowering costs.
Stay focused on outcomes, grow your operations, and remain secure whilst doing so. Every organisation is unique, and you need solutions built for you. If this sounds like something your organisation can benefit from, get in touch and speak with an expert today.