Penetration Testing Best Practices in 2021

2020 elevated the risk landscape. Uncertainty, fear, new ways of working and remote communication have all created new cyber security threats and contributed to cyber security trends and cybercrime trends that need to be taken into account. 

The reality that businesses must face is that it’s increasingly possible for less sophisticated attackers to carry out sophisticated cyber-attacks. It’s important to now guard against COVID-themed attacks involving phishing emails that impersonate government organisations, and a sharp rise in malware and ransomware.  

Put simply, with more people working online, shopping online, and finding entertainment online, it’s time to take a serious look at the most effective strategies to combat the new breed of cyber-threats that have arisen. Pen testing plays an invaluable role.

In this post, we’ll look at some of the penetration testing strategies you can use to ensure your business’ data security and information security stays intact. Let’s get started.  

Additional resources: If you need help explaining the value of cyber security to leadership, check out our free resource — Board Presentation Toolkit: Cyber Security and Threat Management 

What Is Pen Testing?

Penetration testing, or pen testing, is an authorised simulated cyber-attack on a computer system or network that is performed to evaluate the security of the system and to identify any security vulnerabilities. In simpler terms, it’s a simulated attack exercise where a cyber security expert attempts to find and exploit security vulnerabilities in your computer systems through the use of a testing process. The goal is to rectify and improve your security in order to prevent unauthorised access by malicious actors. 

Different Types of Pen Testing

There are various types of pen testing in use today. Depending on the requirements of an organisation and its needs, one or more of these types can be used. 

  • Network security: One of the most common types of pen testing, network security pen testing focuses on identifying the most exposed vulnerabilities and weaknesses in the network infrastructure of an organisation. This type of pen testing has two subcategories — external network security and internal network security — each of which is part of a complete solution. 

External network pen testing focuses on mimicking an internet-based attacker, and is focused on perimeter defence. Internal network pen testing looks for weaknesses that could be exploited by a malicious internal attacker, or an external attacker who has already breached the network perimeter.   

  • Web security: This form of pen testing is used to discover vulnerabilities and weaknesses in web-based applications. For this reason, it uses different techniques that attempt to break into the web application itself. Again, there are a number of subcategories of web security pen testing that are important to consider depending on the type of application in question. For example, web apps, API testing, service testing and more.

  • Mobile applications: The growing use of mobile applications within businesses has given rise to a whole new category of mobile application pen testing. The unique nature of mobile operating systems and the ways in which mobile apps interact with wider networks makes this a distinct type of pen testing when compared to other types of web apps. 

Fundamentally, this is an important category of pen testing if mobile apps are used within your business environment — regardless of other types of pen testing that have already been undertaken.  

  • Client applications: Client-side pen testing is used to discover client-side security issues, security vulnerabilities or weaknesses in applications like email clients, web browsers, productivity software, and more. Ultimately, this is a broad term that covers a range of specific types of pen tests, each of which will be specific to the client-side programs in question.

  • Wireless security: Wi-Fi pen testing identifies and examines the connections between all devices connected to an organisation’s Wi-Fi network. These devices can include anything from laptops, tablets, smartphones, and any other connected devices. However, what makes this type of pen test unique is the focus on the connection between these devices (the over-the-air part), and focuses on things like encryption, Wi-Fi settings, configuration and more to ensure a secure connection.

  • Social engineering attempts: With this form of pen testing a tester tries to persuade or trick users into giving them sensitive information like usernames and passwords. This testing can include anything from phishing attacks, vishing, and tailgating to impostors and eavesdropping.

  • Physical testing: Physical security pen testing simulates a real-world threat where a penetration tester attempts to compromise physical barriers to gain access to an organisation’s infrastructure, buildings, systems, or employees.    

Different types of penetration testing apply to different scenarios, and not every organisation will use every type of pen testing, whereas others may need them all. It’s important that you think carefully about what security testing you want to do and the requirements for your organisation.     

pen testing toolkit CTA

Different Strategies for Effective Pen Testing 

Just like there are various types of pen tests, there are also different strategies for effective pen testing. These can include anything from red teaming to black, white, and grey box testing. Here, we’ll look at these strategies in more detail.

Red teaming vs Standard pen testing 

A typical standard pen testing operation will generally look at where a hacker might target you, how they would attack, how good your defences are, and how big the breach could be. During these simulated attacks, the goal is to identify flaws in your security and let you view your network, application, device, and physical security through the eyes of a hacker.  

Pro tip: In a sense, you can consider standard pen testing as basic pen testing; although it lets you find vulnerabilities, you can improve on it. And this is where red teaming comes in.  

Instead of going through your various systems methodically, red teaming focuses on stealthy, multi-faceted, controlled attacks. These pen testing operations have narrower objectives than a standard pen testing approach and they take a simultaneous approach to testing your security vulnerabilities. 

For instance, a red teaming pen test can launch social engineering and network services attacks at the same time, while avoiding detection. Their security assessment gives you a deeper understanding of the realistic level of risk and vulnerabilities your organisation faces. Understandably, this approach involves more people, resources, and time to implement — as well as expertise. 

The key here is that you don’t choose one or the other, but that you do both for the best results. This is simply because standard penetration testing will give you a broader view of your security vulnerabilities and how to solve them, while red teaming gives you a deeper understanding with more actionable insights.      

Black, white, and grey box testing  

Standard pen testing can also differ in its approach, and in the weaknesses it wants to exploit. Ultimately, the level of information provided to the pen tester will determine the approach they will take.   

The different approaches to pen testing include:

  • Black box: Also known as external pen testing, here the pen tester is given little to no information about your IT infrastructure. The benefit of black box pen testing is that it simulates real-world attacks where the pen tester takes on the role of an uninformed attacker.

  • White box: In contrast with black box pen testing, the attacker has full knowledge and access to the source code and environment of your IT infrastructure with white box pen testing. As a result, the testing is more thorough because the pen tester has access to areas where the black box tester doesn’t.

  • Grey box: Almost a combination of black box and white box pen testing, during a grey box pen testing test, the pen tester has partial knowledge or access to your network or infrastructure. 

In-house vs outsourced pen testing

Building an in-house pen testing team can be a good option long-term. However, it doesn’t always make sense to invest significant resources into cyber security assets that you will only use sporadically. Only businesses with regular and ongoing pen testing requirements really benefit from in-house expertise. 

In addition to helping you overcome the very real cyber security skills shortage, partnering with a penetration testing security provider can deliver access to more resources at lower cost — helping you avoid investing in costly infrastructure that you don’t actually need. Critical benefits to outsourcing pen testing include: 

  • More talent: When outsourcing, you always have access to the best talent, which means you have access to security professionals with the right skill sets for your needs.

  • Better quality: Because an external company usually employs testers who are experts in a variety of testing methodologies and principles, you’ll ultimately achieve better quality in your testing processes.

  • Business assurance: Many outsourcing companies are meeting the needs and expectations of organisations that testing services be more linked to business process effectiveness.

The way to outsource your penetration testing is to leverage creative partnerships with managed service providers. They can deliver a more efficient way to scale, and better access to skills on-demand. This means they reduce the number of people you need to hire full-time and simplify your hiring process for in-house security teams, while still helping you rise to meet your short and long-term cyber security challenges.    

By using a managed service, you’ll effectively:

  • Avoid the cyber security skills shortage.
  • Get on-demand access to expertise.
  • Gain better access to information.
  • Stay focused on your customers.  
  • Grow your brand.

In simple terms, by partnering with a managed service provider or cyber security experts, you can leave the security up to them and focus on your real core competencies — offering excellent customer services or delivering your product.

Strategic Partners Can Help

The benefits you get by partnering with a managed service provider are difficult to ignore, especially when it comes to your information and data security.  

Six Degrees delivers end-to-end managed cyber security services that can protect your business from the threats that exist from malicious and accidental data breaches. Our range of security services protect your business assets whenever they’re vulnerable or exposed to the threat of an attack.

Our pen testing services also combine the benefits of manual pen testing with the continual protection of automated systems, and we have some of the most revered pen testers in the industry to ensure that your business maintains a robust security posture. Get in touch if you want help exploring pen testing best practices in the specific context of your business.

pen testing

Subscribe to the newsletter today

Related posts

Journey to SaaS: The Six Rs of Application Modernisation

Journey to SaaS: The Six Rs of

There’s more than one way to modernise an

Five Underestimated Consequences of a Data Breach

Five Underestimated Consequences of a Data Breach

Over the last few years, it’s been difficult

MCSS: Decrypting Minimum Cyber Security Standards Best Practices and Guidelines

MCSS: Decrypting Minimum Cyber Security Standards Best

2008 legislation that requires all UK public sector

Supply Chain Security 101: Reduce Risk to Your Manufacturing Business

Supply Chain Security 101: Reduce Risk to

You’ve probably heard the term ‘supply chain security’

Like this article?

Share on facebook
Share on twitter
Share on linkedin