Why is Penetration testing necessary?

Easy, a secure system today doesn’t mean a secure system tomorrow. With cyber attacks getting more and more prevalent in today’s day and age it has never been more important to test your cyber controls. Penetration testing looks at vulnerabilities and will attempt to exploit them. The testing is stopped when the goal is achieved, the goal being when access is granted. This would confirm if the security controls you have in place are successful or not.

 

Organizations need to conduct regular testing of their systems for the following key reasons:

• To determine the weakness in the infrastructure (hardware), application (software) and people in order to develop controls
• To ensure controls have been implemented and are effective – this provides assurance to information security and senior management
• To test applications that are often the avenues of attack (Applications are built by people who can make mistakes despite best practices in software development)
• To discover new bugs in existing software (patches and updates can fix existing vulnerabilities, but they can also introduce new vulnerabilities)

How often should you conduct a Pentest?

Pen testing should be conducted regularly, to detect recently discovered, previously unknown vulnerabilities. The minimum frequency depends on the type of testing being conducted and the target of the test. Testing should be at least annually, and maybe monthly for internal vulnerability scanning of workstations, standards such as the PCI DSS recommend intervals for various scan types.

Pen testing should be undertaken after deployment of new infrastructure and applications as well as after major changes to infrastructure and applications (e.g. changes to firewall rules, updating of firmware, patches and upgrades to software).

During the risk assessment, you will assess the impact of not complying to certain laws and regulations if you do not perform a penetration test on your products. Non-compliance to regulations may cost you a hefty fine, lose you your license to operate, or even worse, get you jail time. Data privacy has been getting more attention and regulators from different countries are implementing strict data privacy laws to protect their citizens. It is important that you seek legal counsel to assess local laws and regulations and ensure that your company complies with those regulations.

What does a Pentest consist of?

Pen testing usually involves five phases:

1. Planning and data gathering—Define the goals of the penetration testing. Which systems will be included? What testing methods will be used? Gather data on the attack target, which may include the network or domain name, for example.
2. Scanning—Tools are used to gather more data and information on the target. Examples include a vulnerability scanner and DAST tools, which are discussed in more detail in the next section.
3. Gaining access—Web application attacks such as Cross-Site Scripting or SQL Injection are launched to expose vulnerabilities. Pen testers try to expose these vulnerabilities by stealing data or increasing permissions. The goal is to understand how much damage can be done.
4. Maintaining access—Determine if the exposed vulnerability can be used to achieve a persistent presence in the application. In other words, can the attacker get deep within the web app, accessing sensitive data and causing more harm?
5. Covering tracks—The attacker takes care to remain undetected. Changes made to the system must be returned to a state that will not raise a red flag.

Penetration testing results in a formal report that details the vulnerabilities that were exploited, how long the tester was able to remain undetected, and the sensitive data exposed. This information is used to remediate vulnerabilities and improve the security of the web application to help protect against real attacks in the future.

Penetration testing methods include:

• External testing—Only systems and assets that are visible on the internet, such as the web application itself, are targeted. The goal of the testing is to gain access to the application and its data.

• Internal testing—The pen tester has access to the application behind the firewall. A potential scenario could be a rogue employee or stolen credentials from an employee.

• Blind testing—The pen tester is given the name of the company, but nothing else. This simulates an actual application attack in real-time.

• Double-blind testing—This is similar to a blind test, but the security team is not made aware of the simulation. They have no time to prepare for the attack.

• Targeted testing—The penetration tester and security team work together, informing each other of steps taken to attack the application and to defend against the attack. This serves as a training exercise that provides real-time feedback during an attack.

Penetration testing is, for the most part, a manual process. Human testers need to apply a higher level of skill to properly identify all of the exploitable vulnerabilities in a web application.

In the simplest of terms for example, let’s say a website is vulnerable to the vulnerability Heartbleed. Many websites still are. It’s one thing to run a scan and say “you are vulnerable to Heartbleed” and a completely different thing to exploit the bug and discover the depth of the problem and find out exactly what type of information could be revealed if it was exploited. This is the main difference – the website or service is actually being penetrated, just like a hacker would do.

 

Conclusion

Penetration testing can help to mitigate the threats of the above risks that your business may face. However, good security practices should be adopted in order to secure your business. By taking a risk-based approach on cyber security, you will address the prioritized threats and review your business risk exposure continuously.

What does TeamCISO offer in the line of Pentesting?

From Social Engineering to Network Security to finalizing reports, TeamCISO offers the necessary services required for companies in order to protect themselves and their customers to meet regulations.

Check out our site here to read and learn more about our Pentesting and other services below.

Penetration Testing Methodology

 

 

Thanks for reading and stay safe out there 🙂

TeamCISO:

was formed in 2015 by a group of Cyber-security practitioners with experience in large enterprise. Our mission is to bring those frameworks and practices to help small to medium businesses get and stay cyber secure.

Our team can help you asses your current information Security and Privacy Controls to ensure that you are doing you due diligence in managing your corporate risk profile.

If any gaps or vulnerabilities are discovered, our team will document these as well as define a road-map to remediation.

Set up a free 30-minute Cyber Security Consultation!

TeamCISO provides comprehensive pen testing and PCI QSA services. The company can be contacted on 905-621-9925 or by email at info@teamciso.com