BSI’s Martyn Walsham dispels the seven myths of penetration testing
First, for the uninitiated, a quick definition. A penetration test, commonly known as a pen test, is the practice of testing a computer system, network or web application with an authorized, simulated attack, to evaluate its level of security, and identify specific areas of vulnerability that could be exploited by a genuine cyber attack.
Every major organization should be carrying out pen tests, as highlighted for the last three years by the BCI Horizon Scan Report, released in association with BSI, which finds cyber attack is the threat most feared by businesses around the world. In the latest 2018 study, 53% of business continuity and resilience professionals were ‘extremely concerned’ about it.
Yet, while many people know what pen testing is, some may be misled by the seven myths that surround this most valuable of business activities:
Myth 1: All pen tests are the same
They’re not. Those that miss even one vulnerable component of your system could compromise the whole lot. Take the TalkTalk cyber attack in 2015. It stemmed from just three web pages the telecoms provider inherited from Tiscali, which it had recently acquired. That breach cost the company a £400,000 fine from the regulator. When it comes to pen testing you can’t leave any part of your system untested, so scoping the pen test is arguably the most important step.
Myth 2: When developing a new app, pen test at the end
This myth can cost you time and money. It’s better to schedule pen testing in the project plan as soon as there is stable code to test. If you wait to test the completed system your development team can be kicking their heels while any vulnerabilities are fixed. So pen test as soon as possible to give yourself time to make repairs.
Myth 3: Testing standards don’t count
They absolutely do, because they represent the latest thinking in cyber security. All worthy pen testing companies should be accredited to standard-setting bodies such as NCSC or Crest. I sit on the board of Crest – which developed the CBEST framework with the Bank of England for pen testing the UK’s top financial institutions – and I can assure you it takes the changing face of cyber security very seriously indeed.
Myth 4: Pen testing is only about testing
Clearly, pen testing is mostly about testing, but it can also include some preventative measures too. One of our most popular services is teaching developers how to write secure code. This makes the code more secure, the actual pen test much easier, and remedial work less extensive.
Myth 5: It’s all about you
When the US retailer Target had its point of sale equipment hacked the attackers broke into one of its poorly protected suppliers and stole data that then enabled them to breach Target’s considerable firewalls. This is not just about your data security, but the security of all your suppliers too – and you can bet your clients are thinking the same thing!
Myth 6: It’s just a defensive measure
The primary reason for pen testing may be defensive – to ensure your systems are secure. But there’s also a positive side too. At BSI, we are often asked for our certifications and frameworks because our clients want to promote them in proposals they are submitting to their clients. Companies want assurances that their suppliers are fully protected. Another reason to make sure your pen tests are carried out to the Crest, NCSC or similar standard.
Myth 7: Annual pen tests are sufficient
Pen testing your systems annually should your minimum goal. When the NHS was struck by the WannaCry ransomeware attack in 2017, with catastrophic results, it was estimated that a quarter of NHS trusts had not pen tested within the previous 12 months. And annual tests may not be enough. You should also pen test every time you update your IT estate with new software, hardware or comms. Any significant changes can create a new vulnerability.
Martin Walsham is Director of Cyber Security and Information Resilience at BSI.
Learn more about our pen testing services.