In today’s hostile digital landscape, businesses must identify and address gaps in their cyber security postures. This blog explains what penetration testing is, types of penetration testing, and why it’s so important for all businesses.
Penetration testing or ‘pen testing’ is the activity of a planned and simulated cyber-attack against a computer system to test its security systems and find potential vulnerabilities. The attack is conducted using the same methods, tools and techniques that would be used in a real attack through the use of ethical hacking.
The purpose of penetration testing is to test known vulnerabilities in the system, and find any other potential weaknesses and how exploitable they are when faced with an attack.
Penetration testing shares similarities with vulnerability scanning and red teaming, but is a different process with different aims. Vulnerability scanning is only for discovering vulnerabilities, rather than testing how exploitable they are during a real attack, making pen testing a more comprehensive method.
Red teaming, on the other hand, better simulates a real-world attack. It occurs within a planned window but without notice of when the actual attack will occur. This means that the administrators of the computer system are not aware of when specifically the attack will occur – while penetration tests are scheduled specifically beforehand and are performed in conjunction with the business.
Why Conduct a Pen Test?
Conducting penetration tests is critical as it allows organisations to test known vulnerabilities, find new vulnerabilities they wouldn’t have otherwise known about, and test system security to improve their assessment of the system and strengthen their overall cyber security posture.
By testing, organisations can find new or hidden vulnerabilities faster and gain a better understanding of how they can improve their own security from potential attacks. Testing with this aim can also help meet cyber security regulatory requirements around regular testing and validation, and as a result help establish trust with customers by decreasing the risk of potential breaches.
When Should You Undertake a Penetration Test?
Penetration testing should be conducted both situationally and on a consistent schedule.
Testing should occur both before and after key system changes that may affect your cyber security setup, such as important software updates, the deployment of new systems, or the introduction of new security features. They should also be conducted after any key event, for example after a genuine cyber-attack to validate any fixes or discover more about how vulnerabilities were exploited.
A consistent schedule of penetration testing is also critical for ensuring the continued security of a system. The cadence of this depends on the organisation and their systems, but monthly, quarterly, or yearly penetration testing schedules are commonly used. A test can only validate the security of a system in the exact conditions of the day it is performed, so a higher frequency of tests means more conditions can be tested and more vulnerabilities exposed. Regular tests can be conducted through a penetration testing service.
Who Performs Penetration Testing?
A number of different professionals can undertake penetration testing for organisations and businesses. As the skills required for penetration tests are unique and specialist, and it is better for the testers to know as little as possible about the system they are attacking; the best penetration testers are not typically found within an in-house cyber security team.
Complex developer skills and knowledge of cyber security are required for quality penetration testing. Certified individuals can operate as ethical hackers, who can be engaged to perform penetration tests, with both self-taught and traditionally educated testers available. Cyber security specialists like Six Degrees also have the skills to perform penetration tests and help validate security measures for businesses.
However, it is important to check that testers are correctly certified – in the UK, that means certification from the likes of the Council of Registered Ethical Security Testers (CREST) and membership to the CHECK penetration testing scheme from the NCSC.
What are the Different Types of Penetration Test?
Infrastructure Penetration Testing
Infrastructure pen testing is focused on testing system or network infrastructure. These targeted infrastructure assets include the likes of servers, internet routers, and individual computer systems or websites. This variant of testing helps mitigate vulnerabilities to threats that might affect an entire infrastructure or network – such as ransomware.
Application Penetration Testing
Through application penetration testing vulnerabilities can be tested within applications and software, including web applications, mobile applications, cloud applications, and APIs. This ensures that both internal and external application interfaces are built securely.
Cloud Penetration Testing
Cloud penetration testing is performed on infrastructure or systems that are hosted in the cloud. As cloud-based systems usually have unique construction, cloud testing allows focused validation of systems on public cloud platforms such as AWS and Azure.
External Vulnerability Scanning
External vulnerability scanning is an automated scan that seeks to find external-facing vulnerabilities in a cyber security framework for further investigation through penetration tests. Regular scanning can provide a greater level of assurance around the security of internet-facing hosts.
NCSC ITHC and PCI ASV Scanning
NCSC ITHC Pen Testing and PCI ASC Scanning is conducted to provide organisations with the relevant information and documentation needed to provide evidence against the compliance and accreditation standards for the UK’s cyber security regulatory body, the NCSC.
Penetration Testing as a Service
Penetration Testing as a Service allows organisations to test a given environment on demand as and when there is a need. It provides regular, proportionate testing and enhanced security posture visibility that is easy to view and deploy to ensure that an organisation can identify and understand the severity of any gaps and prioritise remediation accordingly.
Phishing and Scenario Testing
With Phishing and Scenario Testing, organisations can understand their susceptibility to phishing campaigns and better understand the effectiveness of their cyber security training and whether there is an adverse risk from specific scenarios.
Red Teaming
A comprehensive test of an organisation’s cyber security posture, Red Teaming provides useful insights by taking a real-world approach to cyber-attacks and infiltration by using a range of techniques and the sophisticated techniques of real hackers to provide more visibility about cyber security vulnerabilities.
The Penetration Testing Process: Setting Scope, Methodologies and Process
Correct planning and scoping are essential for successful penetration testing. Without planning, you may miss vulnerabilities or fail to properly test the security of your system. Setting clear parameters helps provide relevant outcomes for your testing aims. First, define the scope the test will take – where precisely you will test – and select appropriate testing methodologies to test the areas selected. Having a standardised testing process can help you discover vulnerabilities and test your security and help apply the best practices for penetration testing.
How is a Penetration Test Conducted?
A penetration test is conducted in multiple stages:
- Pre-engagement phase: The goal, scope and parameters of the test are set, and the testing method that will be used is defined.
- Reconnaissance and information gathering: The testers gain intelligence on the target system to better understand how it works and potential vulnerabilities. Most testers use specialised operating systems built on the Linux OS to perform their testing.
- Threat modelling: The testers scan and model the target for weaknesses using tools and methodologies determined during the reconnaissance phase. This is performed using vulnerability scanners.
- Vulnerability analysis: Testers then use the model of these vulnerabilities to analyse and identify how exploitable potential vulnerabilities are and how successful they are likely to be.
- Exploitation phase: Having modelled and analysed the vulnerabilities, testers then proceed to exploit them – for example through brute force or distributed denial-of-service (DDoS) attacks – gaining and attempting to maintain access to the system and exploiting it to steal data or gain system privileges.
- Post-exploitation phase: Having exploited the system, the testers then create a detailed brief on the vulnerabilities they exploited, how, and the length of time they exploited them for. They’ll also suggest upgrades or improvements that will address the vulnerabilities moving forward.
Benefits of Penetration Testing
There a number of ways a business could benefit from regularly conducted penetration tests by qualified testers.
Improved security and cyber security awareness is a natural benefit of a regular pen test cadence. Vulnerabilities are spotted early and are fixed before they can be exploited in a genuine cyber-attack, and the business gains an overall better understanding of its security. With this improved understanding the organisation also gains improved risk management as it can limit the exploitability of any potential weaknesses. Finally, by regularly pen testing organisations can reach compliance with industry standards for cyber security.
Pros and Cons of Pen Testing
Penetration testing is not a ‘one size fits all’ solution. There are both pros and cons to using it as a solution.
Pros:
As a method of identifying potential vulnerabilities, pen testing is extremely effective and provides a comprehensive review of the security of any computer system.
Alongside known vulnerabilities, new weaknesses can be discovered, validated and tested for exploitability through the penetration testing process, while the organisation gains a better assessment of its overall security and how it might be able to respond to an attack. It is more complete than vulnerability scanning while less expensive and resource intensive than red teaming, making it a versatile testing method.
Cons:
The requirement for third-party skilled and qualified individuals to perform penetration tests make it inherently costly to run. The versatility and depth of the test means it comes with a fairly high resource cost, making it important to optimise scope in order to keep costs proportional to risk.
While it is one of the most comprehensive methods, it is also not as extensive as Red Teaming – which is able to conduct a systematic review of the entirety of the cyber security for an organisation rather than just one scoped aspect of it.
Common Issues Found While Testing
Some issues, such as the ones listed below, appear consistently during penetration tests. Checking and fixing these before scoping your tests can help ensure a more productive test result.
– Unsupported, old and outdated software is one of the most common issues found in penetration tests and one of the simplest to fix. Applicable for applications, internal or external infrastructure and cloud applications, keeping your entire software library updated and free of outdated and unsupported software is crucial.
– Unencrypted communications provide testers (and attackers) with an easy way to discover sensitive and exploitable information. Weak protocols in the secure sockets layer or transport security layer, as well as expired certificates, are often at fault.
– Weak passwords are also all too commonly used to exploit vulnerabilities during penetration tests. Generic passwords are often used on systems that are not seen to be potentially vulnerable to cyber-attacks such as printers or smart devices, which gives testers an easy way in. All passwords in an organisation should be high-quality and multi-factor authentication should be implemented as standard.
How do Vulnerability Assessments and Red Teaming Differ to Penetration Tests?
Vulnerability Assessments and scans are a lighter form of testing than pen tests. Their aim is to find potential vulnerabilities in a system that could be exploited, rather than finding and exploiting them as in penetration tests. The scans are often automated and then validated by a certified tester. They are less resource intensive than pen tests and are often run on a frequent basis to spot new weaknesses as they develop.
Red teaming, on the other hand, delivers a more comprehensive test of security by simulating a complete cyber-attack. The ‘Red Team’ of ethical hackers have free reign to launch customised, stealthier attacks that best emulate the full scale and scope of a cyber-attack – including physical intrusion to company properties. The scope of the test is larger, likely to involve multiple types of attack at once, and less information is provided to the owner of the system being tested. However, they are more resource and cost intensive.
Why Use Six Degrees’ Penetration Testing Service?
Provided by some of the most highly experienced and accredited Penetration Testers in the industry, Six Degrees’ Penetration Testing services give you the information you need to enhance your protection against ransomware and other types of cyber-attack.
Our penetration testing service is offered as a part of our comprehensive cyber security offering, and we offer standalone penetration testing as well as penetration testing as a service which provides you with an outsourced managed penetration testing service on a consistent cadence. These help you better understand your cyber security posture by identifying weaknesses and improving your security resilience for better overall protection.
Our cyber security process is aimed at helping businesses improve their cyber security through a better understanding of their cyber security posture and a comprehensive list of services to support it. We view protecting your business from cyber threats in the same way you would view protecting your home from intruders. We lay down solid foundations to identify and protect you from potential threats, and work to detect, respond and recover to attacks.
We have a full service offering to cover all aspects of your cyber security posture – including services that secure your foundations, detect threats, and respond to and recover from cyber-attacks when they occur. Find out more about our services in our complete guide to cyber security.
Our penetration testers have membership to CREST, an international not-for-profit membership body that represents the global cyber security industry, and are part of the CHECK scheme managed by the NCSC (National Cyber Security Centre). As a CHECK service provider, we conduct our penetration tests using NCSC recognised methods and produce reports and recommendations to recognised standards.
Working with HealthHero, Europe’s largest digital healthcare provider, we’ve enhanced their cyber security posture with insights gained from our penetration testing. Our penetration testing services enable HealthHero to identify and understand the cyber security risks it faces while improving its resource efficiency and improving its overall posture. You can explore more of our case studies, including how we helped Beale & Co safeguard its operational integrity through our Managed Extended Detection and Response service.
Further Six Degrees Reading and Resources
CREST and CHECK Penetration Testing
The Importance of Penetration Testing in Cyber Security
Exploring the Role of Penetration Testing in Budget Allocation
Subscribe to the newsletter today
Related posts
Midlands Data Centre Walkthrough
Midlands Data Centre Walkthrough Video Choosing the right…
KubeServers Colocation
KubeServers KubeServers underpins its dedicated Magento hosting platform…
