Your Complete Penetration Testing Guide: What is it & 15 reasons why you need it
There will always be security vulnerabilities, but you cannot take action unless you're aware of them and how they could impact you business. Unaddresses weaknesses could have catastrophic consequences for your business. Find out how Penetration Testing can help and why it's an essential step for businesses who want to ensure the best possible chance of preventing a successful cyber-attack.
Last updated on February 26th, 2021
Security breaches are increasingly becoming a case of “not if, but when”.
No matter what industry you operate in, how many people you employ, or what services you provide, your business holds valuable information. Information which could be exploited for financial gain or reputational damage.
Criminals who want to gain access to a network will find a way in. There are plenty of vulnerabilities and weaknesses to be exploited – many of which the business will be completely unaware of. Web application attacks were up 800% in the first six months of 2020, and with research showing that over half of vulnerabilities are categorised as high-severity or critical, it’s clear action needs to be taken.
This is where penetration testing can help. We’re seeing an increased interest in companies looking to strengthen their cyber-security measures, often following a breach. In this comprehensive guide, we’ll answer all your frequently asked questions about penetration testing and demonstrate the risks of not undertaking them regularly.
What is penetration testing?
A penetration test, also known as pen testing or ethical hacking, is an authorised simulated cyber-attack. It is designed to not only identify weaknesses within the system but attempt to exploit them in the same way a criminal hacker might.
The purpose is to assess the security of a system and identify vulnerabilities and strengths, so a full risk assessment can be completed.
Carried out by a trusted ethical hacker, a penetration test will use the same tools and techniques that a malicious actor might, to see if they can breach the system. The exact goals will vary depending on the business, but essentially, they are aiming to see if they can gain unauthorised access, exploit vulnerabilities, and circumvent or incapacitate any security measures already in place.
SPEAK TO QUOSTAR’S SECURITY CONSULTANTS TODAY TO FIND OUT HOW ETHICAL HACKING AND AUTHORISED CYBER-ATTACKS CAN ADDRESS THE RISKS FACING YOUR BUSINESS
Is penetration testing the same as a vulnerability assessment?
No. They are related, but they have different purposes so should not be considered interchangeable phrases.
The scope of a vulnerability assessment is much larger. It scans systems and applications for known vulnerabilities, whereas a penetration test attempts to exploit weaknesses in the environment.
You will inevitably have vulnerabilities in your environment. Partly due to frequent changes to applications, missing security patches, and sometimes because firewalls leave certain ports open for email and other Internet-connected services. That’s why it’s important to perform regular vulnerability scans to identify and address risks.
We recommend that every new piece of equipment is scanned before it is deployed and on a quarterly basis, at minimum, afterwards. Any changes to equipment should also be followed by another scan. This will pick issues like missing patches and outdated certificates, protocols, or services.
A vulnerability assessment can be automated and does not validate results, so there is a potential for false positives. This one of the reasons why you should not solely rely on automated or AI-based security measures. Penetration testing, on the other hand, requires a more intelligent and creative way of thinking. Hackers will often chain multiple vulnerabilities for exploitation, so the tester needs to be able to replicate this thought process.
Essentially, both are important security measures and should be used in tandem with one another to maintain network security.
The benefits of penetration testing: 15 reasons why you need to run regular pen-tests
- Clearly shows the strengths and weaknesses in your environment, providing clear insight into the risks.
- Reveals vulnerabilities not discoverable via other methods and filters out false positives due to human analysis.
- Demonstrates what levels of access could be gained and what data may be exploited or breached, showing the real risk of a successful attack.
- Tests the organisation’s cyber-defences, allowing businesses to check that they are working as expected (e.g., are they triggering the correct alerts and internal processes).
- Provides an expert opinion from an independent third party, who will assess against best practice.
- Provides the senior leadership team with insightful reports
- Helps internal IT teams influence management decisions in their favour and the results can be used to obtain further budget or resources to bolster security defences.
- Helps your organisation prioritise budget and spending on security by categorising the vulnerabilities into low, medium, and high risks.
- Ensures current controls are effective by checking they are implemented and configured correctly.
- Gives businesses the opportunity to develop and implement controls for the uncovered weaknesses before it”s exploited in the wild.
- Allows IT teams to examine the effects of multiple vulnerabilities and how they are linked together.
- Shows how different teams respond to an intrusion, allowing response time and internal incident response procedures to be improved.
- Reveals poor internal security processes and helps IT teams to enforce the security strategy.
- Support your organisation’s alignment with industry security standards (e.g., PCI DSS, HIPAA, GDPR, GLBA, FFEIC).
- Strengthens customer trust and loyalty by demonstrating you proactively test, manage, and improve your security measures.
Types of penetration tests
- Web Application – Focuses on the vulnerabilities found in web application components; this includes frameworks, server software, API’s, forms, and anywhere that accepts user input. They test user authentication to check that accounts cannot compromise data; assess the application for flaws and vulnerabilities, and confirm the configuration is secure.
- Mobile Application Penetration – Tries to exploit how a mobile application accepts user input, how securely it is stored on the phone, how securely data is transmitted across the internet, as well as all the web service vulnerabilities which may be present in the API.
- External Infrastructure – Checks for ports open on all externally facing ranges, attempts are made to fingerprint and exploit services discovered as well as bypass authentication mechanisms and brute force VPN gateways.
- Internal Infrastructure –They aim to identify and exploit flaws in servers and hosts; misconfigured wireless access points and firewalls; and insecure network protocols. Tests are carried out as both authenticated and non-authenticated users to assess what a hacker with inside access could achieve.
- Wireless – Attempts to crack WEP and WPA encryption to gain access. Other attacks may include Man in the Middle (MiTM) and tricking wireless clients into connecting to a dummy access point.
- End Point / Kiosk PC – Attempts to break out a locked-down device and gain elevated privileges or access sensitive data.
- Social Engineering – An attempt to make a person/people reveal sensitive information such as passwords, financial details, or business-critical data. It is usually done over the phone or internet and will target certain departments (e.g., Finance/Accounts), employees and business processes.
What issues can penetration testing uncover?
- Poor System Configuration – Open ports, weak user credentials, unmanaged access privileges and unpatched applications are just some exploitable weaknesses. Luckily, once you are aware of them, they are usually fairly easy to remedy. However, adding new devices or services can quickly introduce added risks again.
- User Input – SQL injection, the execution of malicious commands designed to instruct or query backend databases for information, is one of the most common attack vectors for web applications. This type of vulnerability can allow hackers to steal sensitive information such as payment card details, login credentials and more.
- Encryption and Authentication – Encrypting data, at rest or in transit, is a common method of protection. However, in some cases, businesses use less secure methods of encryption which can be easily cracked by hackers. Malicious actors will also use “Man in the Middle” (MiTM) attacks, where they attempt to intercept communications to circumvent authentication systems designed to verify the identity of the sender.
- Cookies and Tokens – Web applications will often use session management tools, like identification tokens and cookies, to increase usability, store preferences and record activity. However, these tokens need to be created securely otherwise they can be exploited to hijack sessions or gain higher access privileges.
How often should you perform a penetration test?
Penetration tests should be performed on a regular basis, at least annually, to ensure more consistent IT and network security.
In addition to regularly scheduled tests, pen-tests should also be performed whenever significant changes take place in the IT environment. This may include things like when new infrastructure or applications are added, or when existing ones are upgraded or modified.
Whenever you add new office locations or amend end-user policies are also prime situations for pen-testing. This will help ensure things like new devices, amended access privileges and new applications do not introduce risk.
Does my business need to perform penetration testing?
Any business with an online presence, a web or mobile application, or a connected digital infrastructure should perform regular penetration testing. As should those who need to ensure financial or business-critical data is secure while transferring between different systems or over the network.
That’s pretty much every business operating today. So, yes, your business should probably already be running pen-tests.
In addition, certain regulations require penetration tests for compliance purposes. For example, PCI-DSS V3.0 requires annual penetration testing. Plus, some clients also ask for pen-testing as part of the software release cycle.
Penetration testing is a strongly recommended security best practice. When used alongside other measures, such as vulnerability assessments, it is one of the best ways to guarantee the security of your internal processes, systems, and applications. It will help protect your customers while protecting your business from financial and reputational damage.