The Benefits Of Penetration Testing – The Obvious and Not So Obvious
A creative title for an article we know. We remember a time when Penetration Testing, or Pentesting as we call it, was sexy. Now it seems that Pentesting is just part and parcel with most mature security programs these days. The sexiness has been clouded (pardon the pun). But here at Cybra Security, Pentesting is still very much sexy, and it forms a core part of our specialist services portfolio. Thus we found it appropriate to put pen to paper and write an article on the current state of Pentesting, how it can benefit new customers that might not be aware of what it is, and some commentary around Pentesting in the modern, pandemic-ridden, remote society we have found ourselves living in.
What is Penetration Testing?
Penetration Testing, colloquially termed as Pentesting or ethical hacking, is an authorised simulated cyber-attack designed to identify and evaluate the risks and vulnerabilities that are present in an organisation’s IT Systems. Organisations perform this test to detect what type of cyber-attacks they are likely going to be faced with, estimate the threat of unauthorised parties gaining access to data, and understand the risk associated with a compromise. This gives organisations the tools necessary to perform an effective cost-benefit analysis of what security controls should be invested in to prevent such a breach from occurring.
Or, to put it simply, Penetration Testing is defined as “a way for gaining assurance in the security of an IT system by attempting to penetrate some or all of that system’s security, using the same tools, methods and techniques as an adversary.”
On top of that, the statistics from market and industry surveys reveal that the global penetration testing market will increase at a Compound Annual Growth Rate (CAGR) of 13.8%, from USD 1.6 billion in 2021 to USD 3.0 billion in 2026. So, you can see the popularity and demand for Penetration Testing is growing in alignment with the uptick in global cyber-attacks.
Some Obvious Benefits
Yes, it is true, Pentesting can be used as a tick mark on a multitude of compliance checkboxes in multiple industry standards. Things like ISO 27001 and PCI DSS require annual Pentesting. Some organisations conduct Pentesting activities so they can meet this compliance, and there is nothing wrong with that because at the end of the day Pentesting is essential at ensuring the security posture of any business.
Detect Cyber Risks and Vulnerabilities
When an organisation has a proactive approach to security (the best type of client), they invest some of their security budget to perform Pentesting of their environment, networks and systems, and use the results of the test to prioritise their security spend going forward. It is a highly effective method of staying on top of threats and getting a real-world, independent, non-biased view of where your organisation’s risks are.
Target The Whole Business or Focus In On Key Areas?
Getting a Pentest may be confusing at first. What does it cover? Well, that is entirely up to you! You can get your entire IT environment, including networks, cloud, servers, workstations, applications – or – you can narrow down the Pentest on particular key areas of your business. Here are some popular scenarios often chosen by Cybra Security customers:
External Network Penetration Test
Tests the security of your internet-facing infrastructure, including firewalls, web servers, DNS, leaked credentials and more. This is a good test to ensure your internet perimeter is nice and secure.
Internal Network Penetration Test
Traditionally, this is one of the most beneficial types of security test. If an attacker was to sneak onto your internal network (through a misconfigured firewall, leaked VPN credentials or a phishing email) then what defences do you have to contain the attacker and protect your most valuable information assets and systems? This test simulates an attacker on your network and will identify your vulnerable areas, such as lack of patch management, weak password policies, access control issues. It provides great coverage for any business, big or small.
Web Application Penetration Test
If you are an organisation developing your own web application for your customers, such as retail or banking, or if you are an organisation that is acquiring a new application for use internally, then this test is for you. Before releasing your application to the public, or before turning it on inside your network, you want a Pentest of it to ensure it is not vulnerable to web-based attacks. Web-based attacks are very prevalent in this day and age and websites and applications are a major cause of data breaches and credential theft.
Mobile Application Penetration Test
If you develop mobile applications or have acquired one for use within your organisation, a mobile app Pentest is essential in ensuring the application has been developed using secure coding practices. Mobile apps face the same risks and threats as websites and applications, with a larger attack surface due to local configurations, such as where the device stores your banking PIN.
More mature organisations that undergo regular Pentesting and meet industry standard compliance frameworks often take a proactive approach to security and want Cybra Security to see if we can break into the organisation, using any means necessary. This can involve using social engineering attacks (phishing or vishing), bypassing physical access controls to gain entry into office buildings, planting physical backdoors and more. It is a fun exercise for our consultants and a very valuable exercise for customers. It allows us to highlight areas of risk that are often missed by individual Pentests.
Some Not So Obvious Benefits
Upskilling IT Team and Test Incident Response
Hopefully, your organisation has never faced a serious cyber incident or breach before. Most organisations have Incident Response Plans and procedures to follow in order to detect and triage incidents. But just like backups, these need to be tested to ensure they actually work. This is where Penetration Testing comes into play, providing both immediate and long-term value by automatically identifying essential maintenance priorities and gives the team real-world experience in what an ongoing cyber-attack looks like, feels like, and the effects that the business might have if successful. This equips your team with a higher degree of confidence and the ability to defend your organisation in the future.
When a Pentest is underway, your IT Team can monitor and watch various events and logs from your systems, and see what it looks like when an attacker is infiltrating your network. You can put a plan in place and ask your team for an analysis or debrief of the exercise and learning outcomes. Cybra Security can work alongside your IT Teams during a Pentest if you like, which can look more like a Blue Team or Purple Team exercise.
On the flip side, you may want your IT Team to be unaware a test is being conducted so you can assess your team’s responsiveness and ensure that they are following appropriate processes and procedures. We have conducted tests in the past where we created a Domain Administrator account on a company’s Active Directory server, and nobody noticed. The manager was not impressed, to say the least; however, this is a good learning exercise. The point of testing security is to identify all risks to your business and assets, and a lack of adherence to security policies is definitely one that should be rectified.
Making Sure COVID-19 Isn’t The Only Risk
The question that may be running through your mind right now is why has Penetration Testing become so important during the COVID-19 pandemic.
Well, the obvious conclusion is that everyone is working from home. Organisations have had to scurry to accommodate the new era of couch-working staff that require access to all of the files, systems and collaboration tools that they had when inside the office.
Scams and Phishing
While this article is focusing on Penetration Testing, some friendly advice would be to develop remote working policies for staff and give further guidance in how they can keep their own home networks secure, such as secure WiFi, securing personal devices and best practices. Because at the end of the day, if an attacker can compromise a staff member at home, that opens a door into your network.
The Australian Cyber Security Centre (ACSC) received over 1,500 cybercrime reports per month of malicious cyber activity related to the coronavirus pandemic (approximately four per day), with more than 75 per cent of these relating to individual Australians reporting loss of finances or personal information to scams and online fraud during the 2020-2021 period.
How does this affect your organisation? Although these scams and phishing emails are targeting individual users, if a phishing email lures a staff member to click a malicious link or download a malicious document, then the attacker could have access to the staff member’s computer. That computer might be owned by your organisation, or a personal device, but regardless, the attacker is now on the same local network as your staff member, who has a remote connection into your network.
Pentesting can be valuable in identifying all forms of attacks and risks to your business. Cybra Security customers often ask us to conduct Phishing Exercises that help identify weaknesses in your email infrastructure security controls, and the susceptibility of your staff to such attacks.
We have also seen an uptick in customers asking for External Penetration Tests, specifically focusing on their Remote Access and VPN solutions. Acting as an attacker would, our consultants get to work using the latest tools and techniques to see if your defences stop bad people from getting in.
Another avenue to explore is physical security. We have had customers where there has only been skeleton staff working in the office, with no reception being present. An organisation may not have thought to test to make sure the physical security controls and policies are implemented during the pandemic. We have found that organisations are lacking in this area, and it has been quite easy to clone staff members swipe cards and walk straight into the office without being challenged because nobody is around.
When it comes to working from the comfort corners of your homes, it may make employees less vigilant to cyber hygiene. Consequently, it invites a storm in the security operations and opportunities for hackers to steal data more quickly than ever. Penetration Testing during this time can be valuable in assessing your remote worker’s response to potential threats and incidents.
Investing in Penetration Testing has become essential for organisations today. Especially during massive shifts in technology and the way we work. Penetration Testing is one of the most cost-effective, beneficial, and revealing cyber security services out there.