Penetration tests - What are they and do I need one?

Given today’s cyberthreat landscape, it is imperative organizations have the correct protocols, policies and procedures in place to keep their information safe, data secure, infrastructure robust and ultimately, make them resilient. In 2017, the 2013 Yahoo breach was recalculated to have affected close to 3 billion users accounts, and the Equifax data breach — with 145.5 million customers affected — exceeds the largest publicly disclosed hacks ever reported. These breaches along with WannaCry and Petya cyberattacks are signals of what is to come in the cyber space. With this in mind, organizations need to identify their susceptibility to a successful attack by testing their systems and networks before an attacker does.

What is penetration testing?

Penetration (pen) testing is the practice of testing a computer system, network or web application, to find vulnerabilities that an attacker could exploit, identifying the likelihood of a successful attack against an organization's IT assets.

Getting a pen tester to attempt to breach your network is the ultimate test of your defences and will give you a clear picture of where and how a hacker could potentially gain access to your system.

A pen test follows a carefully selected set of tools and techniques that will examine an IT system for weaknesses, resulting in a report highlighting all of the security issues and vulnerabilities identified on specific assets.

To identify the vulnerabilities present a pen test often includes offensive testing techniques against a pre-defined scope of assets; including but not limited to web applications, externally facing networks and hosts, internal networks, network devices, cloud infrastructure, mobile applications and APIs.

CREST approved

Given the commoditized nature of pen testing, it is imperative for organizations to employ an accredited and globally recognized partner of choice. CREST-approved providers of pen testing have skilled ethical hackers whom are trained to replicate the mind of a malicious attacker and use an exhaustive set of tools to perform and imitate this mind-set. CREST approved members also offer a wide range of pen testing services covering all aspects of organizational security, such as infrastructure, web applications, social engineering and, of course, mobile. They use a risk-based approach to assess systems from an attacker's point of view, as well as against industry best practices.

The goals and outcomes of a pen test:

  • Determine feasibility of a particular set of attack vectors
  • Identify any vulnerabilities which are present, including any that are high-risk which result from a combination of lower-risk vulnerabilities exploited in sequence
  • Identify weaknesses that may be difficult to detect with automated vulnerability scanning software
  • Assess the potential impacts of a successful attack on an organization
  • Justify increased investment in security personnel and technology

Pen testing forms a large element of cybersecurity efforts in organizations due to the value that the results provide. It gives the organization a stable and measureable output relating to the security posture at a specific point in time. Pen tests are an important part of a full security audit for example, the Payment Card Industry Data Security Standard (PCI DSS) requires pen testing on a regular basis and after any system changes.

In saying that, traditional pen testing has its limitations. Continual improvement is the key to staying on top of new threats. A pen test report only reveals the state of your vulnerabilities at a particular moment in time in an environment that is constantly changing. A regular testing programme to keep up to date with new malicious vulnerabilities and compliance requirements is advised.

Objective-oriented pen testing and red teaming are other types of assessments that can further enhance the security posture of your organization.

> Read our whitepaper for more information on enhancing your penetration testing regime.