For our latest blog, we’re returning our focus to a key cyber security tool. With so many instances of hacking and data breaches in recent times, it is vital to have a robust security strategy in place. Penetration Testing is something that can help you to assess just how strong your cyber defences are. Here then we look more closely at this. We provide a short definition and details on who can benefit from the different penetration testing types that are available. We also point out how often testing should be carried out. If you would like to discuss pen testing in more detail, our experts would be happy to hear from you.
What is penetration testing?
Also described as ‘ethical hacking’, it is a systematic and controlled process whereby the security of digital devices and assets is assessed. The key objective is to identify and then exploit vulnerabilities in a controlled environment, thus mimicking a malicious attacker. By doing this, it is possible to mitigate the risk of being prone to unauthorised access, data breaches or other cyber-attacks in the future. Carrying out regular pen tests is a proactive stance which can definitely help organizations large and small to improve their overall security efforts. Typically, the penetration testing process includes the following steps:
- Planning and Reconnaissance
- Enumeration
- Vulnerability Assessment
- Exploitation
- Post-Exploitation
- Documentation and Reporting
- Remediation and Follow-up
Who needs pen testing & how frequently should tests be completed?
For those organisations seeking to adopt a proactive stance with their cyber security, pen tests are essential. Regardless of their size and scale, most businesses nowadays deal with sensitive data – which means they are attractive targets for cyber-criminals. The following organisations are typically urged to engage in annual pen tests as a minimum:
- Government agencies and organisations at local, regional and national levels
- Financial institutions such as banks and credit unions
- Healthcare providers and organisations storing personal health information (PHI) and electronic medical records
- Educational institutions such as schools, colleges and universities
- Organisations and businesses operating e-commerce websites
- Technology companies involved in software development, tech products and internet services
- Utility and energy companies
- Transportation and logistics companies (the supply chain)
- Defence and military sector contractors
- Non-profit organisations
- Start-ups
If your business does not fall under the headings above but you use digital systems, networks or applications, then you can definitely benefit from penetration testing. Given that it helps to identify and mitigate risks and vulnerabilities, why would you not consider it?
It is important to note that penetration testing is not a ‘silver bullet’ solution. It should be viewed as one part of a comprehensive cyber security strategy. Ultimately, the frequency of your testing must be determined by the status of your organisation. If you have a dynamic, highly-evolving IT landscape, for example, then you will most likely benefit from regular tests. Now you know what a penetration test is, who should have them completed and how often. The next step is to consider the different penetration testing types available.
Different types of pen testing
Some of the more common types include:
- Internal infrastructure (this includes wireless, routers, firewalls testing, user and internal applications network infrastructure to give you complete visibility over your security weaknesses)
- External parameters (external penetration testing is a practice that assesses the externally facing assets for an organisation. During an external penetration test, the assessor attempts to gain entry into the internal network by leveraging vulnerabilities discovered on the external assets)
- Cloud services (this includes web applications, mobile applications, social media manipulation, IaaS PaaS and cloud service configurations to identify all security risks, including OWASP Top 10 via an authenticated, unauthenticated & API testing approach)
Penetration testing styles
Finally, the information given to a pen tester before they complete a test can be highly influential upon its outcome(s). This is where the ‘White box vs black box vs grey box pen testing’ argument comes into play.
- White box (The tester receives full network and system information, including network maps and credentials and provides a complete overview of security awareness)
White-box Testing is an approach that allows testers to examine and verify the inner workings of software systems (code, infrastructure and integration with external systems). White box testing can uncover bugs that black box testing and other software testing methods cannot.
- Black box (no information is provided to the tester at all, meaning that they must adopt the approach of a hacker)
The testing conducted on the target is not thorough as this type of penetration testing does not include source code analysis. Also, as the tester is not provided with any information about the target, the completion time for testing is unpredictable.
- Grey box (the tester receives limited information, such as login details)
Grey Box testing is frequently used to identify context-specific problems in online applications. In the case of Grey Box testing, the testers should have the knowledge of implementation, however, they need not be experts in its development.
Conclusion
In this article, we have described a typical pen test plus pointed out who can benefit from them. We have offered some tips on test frequency plus also looked at some penetration testing types. If you already engage in this, then you will surely know how important and effective pen tests are. If you do not, hopefully this information will be of value. Remember, we’re here for you and ready to help; find out more about CRIBB Cyber Security’s penetration testing services.