Exploring the Role of Penetration Testing in Budget and Resource Allocation

With public sector budgets stretched and resources at a premium, how can you ensure you’re focusing your efforts in the most impactful areas? In this blog we’ll explore the essential role penetration testing plays in enabling organisations to deploy their security resources to greatest effect, saving wasted effort and optimising security.

2022 is shaping up to be another challenging year in the world of cyber security. At the time of writing the UK is holding its breath over whether current geopolitical events will result in mass cyber-attacks against organisations, which you can learn more about in our new webcast here.

Against this challenging backdrop, public sector organisations are facing a budget stretch that is forcing them to make tough decisions around where they allocate money. Budget needs to be found to protect organisations and the citizens they support from the never-more-present threat of cyber-attack, but is it simply a question of investing more, or can you achieve better protection by tuning your existing resources and investments?

In this blog we’ll explore the role of penetration testing in enabling public sector organisations to prioritise their budget and resource allocations as efficiently and effectively as possible.

What is Penetration Testing?

Penetration testing (or pen testing) is an authorised, simulated cyber-attack on a system or network-wide IT infrastructure. The aim of penetration testing is to uncover weaknesses in a security system before malicious actors can. Penetration tests can be broken down roughly into several steps:

  • Initial reconnaissance. Security capabilities of a network or system are assessed, and analysis of a site or application codes are probed for potential responses.
  • Analysis and planning. In light of this probing, penetration testers will determine what cyber-attacks are viable, and whether these intrusions can be maintained (a persistent malicious presence, for example, allows in-depth access and greater damage).
  • Testing. Attacks will then be carried out by the penetration testers. The types of attack will depend on the insights of previous stages but can involve techniques such as harvesting data and escalating internal privileges.
  • Remediation. These attacks provide a more precise picture of an organisation’s vulnerabilities. Penetration testers will then augment the efforts of an organisation’s security and IT teams and capacities, secure vulnerabilities, and if necessary, re-run the penetration testing process.

It is this last step – the remediation of vulnerabilities uncovered by the penetration testing process – that is so vital to budget and resource allocation. And as we’ll explore in the following section, contemporary penetration testing methods can provide more up-to-date guidance than those employed in the past.

How the Penetration Testing Narrative Has Changed

The cyber security landscape has evolved significantly over the past decade, and our approach to operating within it has had to evolve, too. When the National Cyber Security Centre was founded in 2016, guidance and attitudes around penetration testing were very different to what we see today.

A decade ago, penetration tests were often seen as an annual exercise – one where any highlighted gaps in an organisation’s cyber security posture were addressed over the following 12 months ahead of the next annual test. Although undoubtedly of value, these tests lacked the agility and deep insight to truly have an impact on an organisation’s wider cyber security policy.

Fast-forward to today, and we’re in a very different world. Zero-day attacks, new ransomware strains and ever more malicious malware have left us in a continual state of alert; a state in which we need to prioritise defending our organisations today while preparing for whatever fresh attack methods we must face tomorrow.

In this world, the annual penetration testing tick box exercise no longer cuts it. Different types of penetration test align to different cyber security postures and organisational priorities, but one thing is clear: penetration testing in 2022 forms a key pillar of any organisation’s cyber security posture, and if you get it right your penetration testing schedule will help you identify where you face the highest risk – and put in the budget and resource to address it before it can be exploited.

Who Are Penetration Testers?

Who are the people that carry out penetration testing? Aren’t they using the same methods that cybercriminals employ? Well, yes, they are. But they’re not being malicious when they do it. You may have heard the terms ethical hacker or white hat hacker, and these are the people who carry out penetration testing. Black hat hackers? Those are the bad guys.

All of the methods malicious black hat hackers use, penetration testers use as well. Phishing? Yep. Man-in-the-middle? Yep. Physically attending an organisation’s premises to try to gain access? Most certainly!

The difference is that whereas black hat hackers seek to find vulnerabilities and exploit them by launching ransomware and other cyber-attacks, penetration testers are searching for those same vulnerabilities but trying to help you identify and address them as quickly as possible.

So, who are penetration testers? They’re the good guys. Slightly edgy good guys with some sneaky tricks up their sleeves, but good guys nevertheless.

Types of Penetration Testing

Given the size and complexity of the infrastructures we operate today, there are a number of types of penetration testing that exist to stress test the security of different elements. Depending on an organisation’s needs, one or more of these types can be used.

Network Security

One of the most common types of penetration testing, network security penetration testing focuses on identifying the most exposed vulnerabilities and weaknesses in the network infrastructure of an organisation. This type of penetration testing has two subcategories — external network security and internal network security — each of which is part of a complete solution.

External network penetration testing works by mimicking an internet-based attacker and is focused on perimeter defence. Internal network penetration testing looks for weaknesses that could be exploited by a malicious internal attacker, or an external attacker who has already breached the network perimeter.

Web Security

This form of penetration testing is used to discover vulnerabilities and weaknesses in web-based applications. For this reason, it uses different techniques that attempt to break into the web application itself.

Mobile Applications

The growing use of mobile applications within organisations has given rise to a whole new category of mobile application penetration testing. The unique nature of mobile operating systems and the ways in which mobile apps interact with wider networks makes this a distinct type of penetration testing when compared to other types of web apps.

Wi-Fi Testing

Wi-Fi penetration testing identifies and examines the connections between all devices connected to an organisation’s Wi-Fi network. These devices can include laptops, tablets, smartphones, and any other connected devices. However, what makes this type of penetration test unique is the focus on the connection between these devices (the over-the-air part), and focuses on things like encryption, Wi-Fi settings, configuration and more to ensure a secure connection.

Social Engineering Attempts

With this form of penetration testing, a tester tries to persuade users into giving them sensitive information like usernames and passwords. This testing can include phishing attacks, vishing, and tailgating to impostors and eavesdropping.

Physical Testing

Physical security penetration testing simulates a real-world threat where a penetration tester attempts to compromise physical barriers to gain access to an organisation’s infrastructure, buildings, systems, or employees.w

Defining Your Budget and Resource Allocation

Your infrastructure has never been bigger and more complex, and that means that your attack surface – the area through which hackers can attack you – has never been bigger. Prioritising budget and resource allocation towards the areas that need most attention is critical to maintaining a strong cyber security posture, and the different types of penetration testing available to you will make that process significantly easier.

Here’s some food for thought around how different types of penetration testing could be relevant to your public sector organisation:

  • Network security. Network security penetration testing is pretty much a non-negotiable for any public sector organisation, as staff and citizens will all engage with some part of the organisation’s network.
  • Web security. Organisations throughout local and central government are interacting with citizens more and more through web-based applications – just think about how you pay your council tax, register to vote, or book a vaccination appointment. Identifying and allocating resources to address vulnerabilities is crucial to maintain both operational integrity and public trust.
  • Mobile applications. Like with web security, mobile applications form a more and more fundamental role in citizen engagement. They must be treated as a cyber security priority.
  • Wi-Fi testing. If staff and citizens are visiting your operating locations and connecting to the onsite Wi-Fi you provide, it’s important to carry our wireless security penetration testing to ensure connections can’t be compromised.
  • Social engineering attempts. UK public sector organisations are under constant attack by malicious actors attempting to disrupt services and cause disarray. By mimicking the attack methods they use, you can identify areas of weakness in your people, processes and systems and address them through training and the introduction of methods such as multi-factor authentication in order to make them harder to exploit.
  • Physical testing. This can be a fun one. Our penetration testers have used all sorts of methods to access organisations’ premises – including dressing as construction workers, creating fake ID cards, and even just strolling in with a confident air! It’s also important though, especially given the many different people who will enter and leave local and central government premises on an hourly basis.

Different types of penetration testing apply to different scenarios. Not every organisation will use every type of penetration testing, whereas others may need them all. It’s important that you think carefully about what security testing you want to do and the requirements for your organisation; in this way you can apply what you learn to your budget and resource allocation.

Note: If you need support understanding where to start, Six Degrees can help. Get in touch to speak to one of our experts today.

In Summary

Penetration tests identify a wide range of vulnerabilities and enable organisations to optimise budget and resource deployment in order to address them. The most effective forms of penetration testing require the right tools and the right kinds of talented teams (those ethical hackers we talked about earlier) operating these tools. Working with an experienced cyber security partner gives you access to the kinds of tools and levels of experience you would struggle to achieve in-house.

At Six Degrees, we’ve been helping organisations confront cyber security challenges for over 15 years. While cyber threats are always developing, our experience and industry presence is testament to our ability to stay ahead of emerging threats. Our expert penetration testers are complemented by fully-accredited cyber security consultants and managed security services delivered 24×7 from our SC-cleared, UK-onshore SOC, combining to deliver an end-to-end cyber security package that enables public sector organisations to protect their staff and citizens by achieving defence-in-depth.

And right now, we’re offering a discounted to rate to UK public sector organisations for some of our key services. Check out our cyber security offerings here.

Subscribe to the newsletter today