Streamline your cloud experience and maximise your cloud investment with Microsoft Azure-aligned public cloud services.
Host all of your workloads in the most appropriate location while experiencing the simplicity of one cloud from Six Degrees.
Enhance your cyber security and safeguard your organisation with our cyber security strategy and advisory, consultancy, and managed services.
Connect your business through a comprehensive connectivity portfolio delivered via our owned and operated core Next Generation Network (NGN).
Access the smarter, faster technology needed to make the most of your hybrid working future.
Streamline your hosting with comprehensive colocation services delivered from three UK data centres.
Gain clarity and control of your 5G estate, ensuring ongoing cost efficiencies are managed on your behalf through our managed service.
Gain confidence in your cloud direction and achieve accelerated time to value through our assured and optimised cloud services.
Master today’s complex threat landscape and protect your business with our intelligence-led security services.
Videos and webinars are a great way to digest the latest technology insights.
Our eBooks and whitepapers provide in-depth insights from our experts.
Our thought leaders publish regular blogs on up-to-the-minute topics.
Learn all about the latest news from Six Degrees as we continue to evolve.
We host regular in-person and virtual events for our clients.
Learn how we enable our clients to achieve more; providing superior secure solutions, powered by our passionate people.
We are proud to partner with many of the world’s leading vendors, enabling you to leverage our continual investment in difference-making technology.
Learn how CNS at Six Degrees delivers intelligence-led security services that protect organisations in today’s hostile landscape.
We are committed to operating in an environmentally and socially conscious way. Learn more about our commitments as a business.
We are proud of our secure cloud credentials. Learn why we’re one of the most highly accredited providers in the UK.
We are a friendly and passionate bunch here. Whether you want to work with us or for us, we think you’ll enjoy the Six Degrees experience.
Home » Blogs » Exploring the Role of Penetration Testing in Budget and Resource Allocation
2022 is shaping up to be another challenging year in the world of cyber security. At the time of writing the UK is holding its breath over whether current geopolitical events will result in mass cyber-attacks against organisations, which you can learn more about in our new webcast here.
Against this challenging backdrop, public sector organisations are facing a budget stretch that is forcing them to make tough decisions around where they allocate money. Budget needs to be found to protect organisations and the citizens they support from the never-more-present threat of cyber-attack, but is it simply a question of investing more, or can you achieve better protection by tuning your existing resources and investments?
In this blog we’ll explore the role of penetration testing in enabling public sector organisations to prioritise their budget and resource allocations as efficiently and effectively as possible.
Penetration testing (or pen testing) is an authorised, simulated cyber-attack on a system or network-wide IT infrastructure. The aim of penetration testing is to uncover weaknesses in a security system before malicious actors can. Penetration tests can be broken down roughly into several steps:
It is this last step – the remediation of vulnerabilities uncovered by the penetration testing process – that is so vital to budget and resource allocation. And as we’ll explore in the following section, contemporary penetration testing methods can provide more up-to-date guidance than those employed in the past.
The cyber security landscape has evolved significantly over the past decade, and our approach to operating within it has had to evolve, too. When the National Cyber Security Centre was founded in 2016, guidance and attitudes around penetration testing were very different to what we see today.
A decade ago, penetration tests were often seen as an annual exercise – one where any highlighted gaps in an organisation’s cyber security posture were addressed over the following 12 months ahead of the next annual test. Although undoubtedly of value, these tests lacked the agility and deep insight to truly have an impact on an organisation’s wider cyber security policy.
Fast-forward to today, and we’re in a very different world. Zero-day attacks, new ransomware strains and ever more malicious malware have left us in a continual state of alert; a state in which we need to prioritise defending our organisations today while preparing for whatever fresh attack methods we must face tomorrow.
In this world, the annual penetration testing tick box exercise no longer cuts it. Different types of penetration test align to different cyber security postures and organisational priorities, but one thing is clear: penetration testing in 2022 forms a key pillar of any organisation’s cyber security posture, and if you get it right your penetration testing schedule will help you identify where you face the highest risk – and put in the budget and resource to address it before it can be exploited.
Who are the people that carry out penetration testing? Aren’t they using the same methods that cybercriminals employ? Well, yes, they are. But they’re not being malicious when they do it. You may have heard the terms ethical hacker or white hat hacker, and these are the people who carry out penetration testing. Black hat hackers? Those are the bad guys.
All of the methods malicious black hat hackers use, penetration testers use as well. Phishing? Yep. Man-in-the-middle? Yep. Physically attending an organisation’s premises to try to gain access? Most certainly!
The difference is that whereas black hat hackers seek to find vulnerabilities and exploit them by launching ransomware and other cyber-attacks, penetration testers are searching for those same vulnerabilities but trying to help you identify and address them as quickly as possible.
So, who are penetration testers? They’re the good guys. Slightly edgy good guys with some sneaky tricks up their sleeves, but good guys nevertheless.
Given the size and complexity of the infrastructures we operate today, there are a number of types of penetration testing that exist to stress test the security of different elements. Depending on an organisation’s needs, one or more of these types can be used.
One of the most common types of penetration testing, network security penetration testing focuses on identifying the most exposed vulnerabilities and weaknesses in the network infrastructure of an organisation. This type of penetration testing has two subcategories — external network security and internal network security — each of which is part of a complete solution.
External network penetration testing works by mimicking an internet-based attacker and is focused on perimeter defence. Internal network penetration testing looks for weaknesses that could be exploited by a malicious internal attacker, or an external attacker who has already breached the network perimeter.
This form of penetration testing is used to discover vulnerabilities and weaknesses in web-based applications. For this reason, it uses different techniques that attempt to break into the web application itself.
The growing use of mobile applications within organisations has given rise to a whole new category of mobile application penetration testing. The unique nature of mobile operating systems and the ways in which mobile apps interact with wider networks makes this a distinct type of penetration testing when compared to other types of web apps.
Wi-Fi penetration testing identifies and examines the connections between all devices connected to an organisation’s Wi-Fi network. These devices can include laptops, tablets, smartphones, and any other connected devices. However, what makes this type of penetration test unique is the focus on the connection between these devices (the over-the-air part), and focuses on things like encryption, Wi-Fi settings, configuration and more to ensure a secure connection.
With this form of penetration testing, a tester tries to persuade users into giving them sensitive information like usernames and passwords. This testing can include phishing attacks, vishing, and tailgating to impostors and eavesdropping.
Physical security penetration testing simulates a real-world threat where a penetration tester attempts to compromise physical barriers to gain access to an organisation’s infrastructure, buildings, systems, or employees.w
Your infrastructure has never been bigger and more complex, and that means that your attack surface – the area through which hackers can attack you – has never been bigger. Prioritising budget and resource allocation towards the areas that need most attention is critical to maintaining a strong cyber security posture, and the different types of penetration testing available to you will make that process significantly easier.
Here’s some food for thought around how different types of penetration testing could be relevant to your public sector organisation:
Different types of penetration testing apply to different scenarios. Not every organisation will use every type of penetration testing, whereas others may need them all. It’s important that you think carefully about what security testing you want to do and the requirements for your organisation; in this way you can apply what you learn to your budget and resource allocation.
Note: If you need support understanding where to start, Six Degrees can help. Get in touch to speak to one of our experts today.
Penetration tests identify a wide range of vulnerabilities and enable organisations to optimise budget and resource deployment in order to address them. The most effective forms of penetration testing require the right tools and the right kinds of talented teams (those ethical hackers we talked about earlier) operating these tools. Working with an experienced cyber security partner gives you access to the kinds of tools and levels of experience you would struggle to achieve in-house.
At Six Degrees, we’ve been helping organisations confront cyber security challenges for over 15 years. While cyber threats are always developing, our experience and industry presence is testament to our ability to stay ahead of emerging threats. Our expert penetration testers are complemented by fully-accredited cyber security consultants and managed security services delivered 24×7 from our SC-cleared, UK-onshore SOC, combining to deliver an end-to-end cyber security package that enables public sector organisations to protect their staff and citizens by achieving defence-in-depth.
And right now, we’re offering a discounted to rate to UK public sector organisations for some of our key services. Check out our cyber security offerings here.
If you’re struggling to get buy-in from your…
Local authorities are operating in a hostile digital…
More information on our Privacy and Cookies Policy can be found here: https://www.6dg.co.uk/privacy-cookies/. You can update how we contact you in the future by visiting our Communications Preference Centre here: https://www.6dg.co.uk/preference-centre/.
