What is a penetration test?
A penetration test (or ‘pen test’) is a simulated cyber attack through which you can identify the very vulnerabilities that an attacker would use to breach your network or your applications. Penetration testing uses various manual techniques combined with automated tools to analyse the target for potential vulnerabilities and then attempt to exploit them.
Exploitable vulnerabilities typically include known security flaws in hardware or software, poor configuration, or operational weaknesses. To learn more about the common vulnerabilities found through penetration testing, visit our blog on the topic. The test is usually carried out from the perspective of a real-world attacker and includes exploiting vulnerabilities to identify possible countermeasures, prioritising the weaknesses by severity, and providing guidance on how to fix the vulnerabilities identified.
Penetration testing can be compared to hiring a ‘burglar’ to break into a building and accessing valuables to test your home security defences and, if the burglar is successful, to gain insights into how they bypassed your security measures so you can improve them. Two of our senior security experts recently wrote an article in Media Insider explaining the benefits of pen testing and what to look for in a good pen testing partner.
For a detailed overview of penetration testing, read our guide here.
Types of penetration test
The most common forms of penetration testing are mobile application testing, web app testing, API testing which identifies vulnerabilities in business applications, and infrastructure testing, in which servers, firewalls and other systems are tested for weaknesses in an attempt to move through the target network. You can also visit this article to learn more about the difference between internal and external infrastructure.
Other types of penetration testing include client-server, wireless, end-user device and telephony or VOIP testing.
Penetration testing versus vulnerability scanning
Penetration testing is often confused with automated vulnerability scanning. Vulnerability scanning uses automated tools to scan the environment and ensure that security settings are applied consistently, and the systems are up to date. Scan reports are often used to identify outdated software components that need to be patched to fix a vulnerability.
The objective of vulnerability scanning (and vulnerability management more widely) is to validate that the minimum-security requirements are applied in the most up-to-date manner. We have a more detailed blog on the best practices for Vulnerability scanning.
Penetration testing goes a step further and replicates a real-world attack. This often starts with a scan to identify ‘low hanging fruit’ weaknesses but also includes the use of different tools and manual techniques to confirm the vulnerability can be exploited and to assess the severity of the weakness. It also includes the human and contextual benefits that are not available when using software only. When engaging with a pen testing provider, ensure you have full transparency over their pen testing costs, with a breakdown of their methodology and what you can expect in their report.
Why is penetration testing necessary?
Penetration testing is a security assurance exercise. It provides independent validation that your security defences are sufficiently resilient. This is important for multiple reasons including:
- Verifying that New Applications are Secure: When a new application is being deployed, regardless of the host, it is a good idea to carry out an assessment, especially if sensitive data will be stored within the application. Testing should be a key activity within your secure development lifecycle.
- Understanding the Security Posture of your Organisation: Testing helps confirm your defences are sufficient and resilient. This will be important to your senior management and also to organisations you work with or hold data on behalf of.
- Regulatory Compliance: Laws and regulations require good security assurance including testing. Article 32 of GDPR, for example, refers to data controllers implementing measures including “a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing”
- Contractual Compliance: It is increasingly common for supplier contracts to mandate annual pen-testing of systems that are important to the services being provided by the supplier.
- Improved Threat Awareness: Sometimes similar organisations are exposed to similar threats. Carrying out assessments using the same methods that perpetrators use to attack other companies in the same industry gives insight into how exposed the company is and how to prevent the organisation from being the next victim.
In our increasingly connected world, businesses set up new suppliers quickly and share data with them, which they often share with their suppliers and beyond. This means you quickly build an extended digital supply chain (read our extensive Guide to Supply Chain Security). Each one of these third parties presents an attacker with a way into your systems or data. As such, you should not only penetration test your own organisation, but should also ensure your suppliers are systematically testing their own systems.
Moreover, industry standards like Cyber Essentials and the IT Health Check Scheme also require penetration tests for compliance and accreditation respectively. The GDPR doesn’t specifically mandate them, but it does state that organisations need: “a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.” In plain English, this means activities including vulnerability scanning and penetration testing.
It’s also worth mentioning that a penetration tester can perform the test with or without prior knowledge of the client’s systems. When you schedule a penetration test, part of the process will involve defining whether the tester will be given access to your systems or given no prior information. There are different terms to describe these methodologies, known as white box, black box and grey box testing.
While most companies understand the benefits of penetration testing, timing is critical. If performed too frequently, penetration tests can be a costly expense and the results may overwhelm a small IT team. On the other hand, if not done often enough, your business could be left exposed to a cyber attack.
When and how often should penetration testing be done?
In the same way that every organisation is unique, so too are their penetration testing requirements. However, there are a few overarching principles for guiding when a test is needed.
An annual health check-up
At a minimum, penetration tests should be conducted on an annual basis. They effectively act as a technical audit of your IT systems and applications, helping you to ensure that relevant security patches have been applied, any new software has been integrated safely, systems are configured properly, your operating systems aren’t vulnerable to attack and your employees are following security protocols.
In cases where your IT team consists of only one or a few personnel, we advocate staggering the phases of an annual penetration test, to ensure that all vulnerabilities can be dealt with, without overloading your team members.
The deployment of new software and services
Every time your organisation introduces a new application, website or service, it should be checked with a penetration test. This is pivotal to secure development and ensuring that your security posture has not been negatively impacted by the introduction of new vulnerabilities.
This is especially critical if you are exposing your application or service to the internet. In this case, you are opening up the application to the world and it will constantly be pinged, scanned and attacked by all kinds of malicious third parties. If your application contains personal data or sensitive information, then the potential impact of a breach is high, and testing is an absolute must.
Any other changes to the workplace environment
The COVID-19 pandemic is a prime example of how changes to the workplace environment make organisations more vulnerable to cyber-attacks. Interpol saw a huge increase in attacks during COVID-19, as cybercriminals attempted to take advantage of the shift to remote and hybrid work.
Changes like these – be they in the physical or digital realm – require rigorous penetration testing to prevent malicious intrusions. Physical testing – which simulates a malicious actor trying to compromise a business’ premise – is extremely important. Companies should also carry out a full and thorough assessment of their Active Directory Certificate Services configuration to ensure that no weaknesses have crept in during the years of IT change that every company experiences.
If you’re a newbie
If you’ve never conducted a penetration test before, then the time to act is now. Often, small businesses that aren’t highly reliant on technology may think they are at low risk of a data breach. But, with the proliferation of data, every company can be considered a tech company – even if they’re a shop on the high street. Because of the reputational and financial risks of a successful breach, penetration testing is urgent for any and all organisations that are yet to conduct one.
As the digital and physical business worlds continue to merge, penetration testing is an excellent way for businesses to reduce the risks of a data breach, ensure compliance and assure their supplier network that they are being proactive about safeguarding sensitive information. By knowing when to conduct penetration tests, and working with a trusted, accredited tester, your company will improve internal security confidence – and that of your customers and partners.
Stages of penetration testing
A penetration test is typically delivered over the following testing phases:
1. Pre-Engagement Interactions
In this stage, the tester or testing company will work with you to define the scope of the pen test, as well as any objectives, strategies, legal implications and/or constraints.
2. Reconnaissance or OSINT
The tester will try to collate as much open-source intelligence as possible about the organisation at this stage. Depending on the type of test being carried out, the type of information will vary.
3. Vulnerability Identification
During this stage, the tester will use all the potential targets gathered in the previous stage and model the attack vectors which will be used on the target. It is also in this phase that the tester will use vulnerability scanners, and other manual or automated tools on the target to discover any exploitable vulnerabilities.
With all the targets and vulnerabilities mapped, the tester will attempt to use exploits to gain entry to systems and/or networks. The end goal of this phase is to see how far in the environment the attacker is able to get (within the defined scope).
5. Analysis & Recommendation
During this stage, the tester will document how the access was gained and provide remediations to avoid future exploitations. Afterwards, the tester will sanitize the environment by reconfiguring any access obtained to penetrate the environment and cleaning up any traces of the attack.
This is where a written report of the test is provided to the client, including recommendations to remediate vulnerabilities. It is also at this stage that the company has the opportunity to review any findings with the tester during a debriefing workshop. Learn more about what a good pen test report should look like in our blog.
If your organisation needs help running a penetration test on an application or infrastructure, we’re here to help. We can assess your environment and run a full penetration test. We can also advise you on any follow-up actions or remediations from our findings. Contact us for a friendly chat.