WHAT IS PENETRATION TESTING?
Putting it in basic terms, penetration testing (often referred to as pen testing) involves a simulated real-world attack on a network or application. During the test, vulnerabilities are identified within your organizations infrastructure and recommendations are made on how best to fix those weaknesses. There are a wide range of in-depth pen tests that can look at your internal and external network, mobile apps, IOT tests and cloud service testing, to name but a few..
It is frequently possible for a pen tester to gain remote access to operating systems, application logic and database records. Through active exploitation of direct and interconnected systems, LRQA Nettitude can provide strategic guidance on risk and tailored advice on counter measures
LRQA Nettitude pen testers often surprise clients by showing how easy it is to gain remote access to operating systems, applications and database records. This is changing the attitudes of organizations and they are starting to take a more serious approach to cyber security and protecting their data. The introduction of GDPR in 2018 has also meant strict penalties for those who suffer a breach, and fail to report it to the authorities.
Internal Penetration Test
An internal penetration test looks at the possibility of gaining access to sensitive information from within the organisation’s systems and firewalls. This can be done in various forms, such as attaining employee credentials through social engineering tests (phishing emails), or even ransomware.
External Penetration Test
This involves scrutinizing the organization’s infrastructure from outside its firewalls (what’s in the public domain) and attack from there. This method best imitates the role of an external attacker that would typically gain access through your company website, email addresses or DNS.
Why is it important for your business to have a penetration test?
The cyber landscape has evolved significantly and both businesses and individuals now consume live data around the clock. Whether it’s through 4G on-the-go or Wi-Fi networks, they interact with rich content through mobile apps, social media and general internet browsing throughout the day. These boundaries between work and personal personas are becoming increasingly blurred and, at the same time, the organization infrastructure has sprawled outside of the physical constraints of the office. Data now resides in the cloud, in apps and in the third-party supply chain.
These combined forces have intensified the need for businesses to carry out penetration testing, and making themselves aware of the potential holes in their security processes and how a cybercriminal would best gain access. Gone are the days where you could install a firewall application and just sit back hoping it will protect your data and financial assets. Now you need to test these applications, find the gaps and patch them up. Cyber-attacks are continually becoming more sophisticated and criminals are finding new ways to access your files.
Benefits of Pen Testing
Manage risk– Getting an external or internal penetration rest conducted on a regular basis allows you, as an organization to manage your risks. A penetration test identifies vulnerabilities in your environment and allows you to remediate them. Penetration tests are a very proactive approach to cyber security. Rather than just sitting back and hoping for the best, a penetration test allows you to protect yourself against the risk before it happens.
Protects clients, partners and third parties– Think about all the stakeholders within your organization, it could be your clients and their personal data, your business partners or even third parties. Penetration testing allows you to not only minimise the risk to your own business, but also to those who have some sort of involvement. Another great benefit of penetration testing is that it shows your clients that you take cyber security seriously, and it builds trust and a good reputation, that you’re doing everything you can to mitigate the risks of a cyber breach.
Allows you to understand the environment– Penetration testing has huge benefits when it comes to having a better understanding of the cyber security environment. A penetration test allows you to understand what is going on in the environment around you, and it helps you to understand the types of cyber-attacks that your organization may face. If your organization can understand the types of risks, and the fact that it’s not if it will happen, but when, then you will be much more successful in protecting yourself.
Identifies weaknesses you didn’t know where there– Penetration testing looks for the backdoors into your network. A cyber-attack won’t always be obvious to you, it looks for weaknesses and ways in that you won’t be able to spot. Penetration testing identifies these hidden weaknesses so you can patch them up.
When should a company conduct penetration testing?
There are many factors to consider for when to carry out pen testing for your business, especially when it comes to deciding how often they should be done. There are several factors that need to be considered when booking your next penetration test:
Changes in the environment– Cyber security is an ever-evolving world. It’s constantly changing and adapting, and cyber criminals are finding new ways to enter your networks and data each and every day. This is why you should consider booking a penetration test whenever there has been a major change in the environment. This could be after your organization has suffered a breach, or if a new threat actor threatens your business with an attack.
Organization structure changes– Over time your organization will grow and change, and with that comes new people, processes and technology. Here at LRQA Nettitude we believe you should be testing your business on a regular basis to make sure the latest technology is up to scratch, and that your employees have been educated to the highest standards to avoid a cyber security breach through social engineering approaches..
Compliance requirements –Sometimes you need a penetration test as part of a requirement. For example to become PCI DSS accredited, as part of requirement 11, you must make sure that “system components, processes, and custom software should be tested frequently to ensure security controls continue to reflect a changing environment”. This requirement states that a penetration test should be carried out on an annual basis, however, as stated above we’d also recommend organizing a test to be carried out if any major changes have taken place.
The different types of penetration testing
Intelligence Led Red Teaming
A real-world simulated attack that looks for the less obvious entry points into your systems. We often describe it like a house, where a burglar may think of less obvious ways to enter your house (like the front door), and instead opts for an open window. Red teaming looks for the back doors within your business and carries out simulated scenarios to test whether your business can detect and defend against them. It includes physical security testing, social engineering, 3rd party relationships, hacking, malware insertion, pivoting and human manipulation. Read more >
Blue Teaming
Whilst Blue Teaming isn’t a type of penetration test it’s important to understand its role within Purple Teaming. The blue team are the defenders against the red teams attack. Blue teams need access to log data, SIEM data, threat intelligence data and to network traffic capture data. The blue team needs to be able to analyse vast swathes of data and intelligence to detect the proverbial needle in the haystack. Take a look at our section on purple teaming to find out why you should conduct a blend and red and blue teaming exercises.
Purple Teaming
This is a blend of our red and blue teaming tests. The red team goes on the offensive and looks for all the gaps and entries into your infrastructure and system. Whereas the blue team will spend the time during the test defending against the red team attacks. The blue team needs to be able to defend against all of the red team attacks, at all times. Through the sharing of intelligence data across the purple teaming process, it is possible to understand threat actors’ TTPs. By mimicking these TTPs through a series of red team scenarios, the blue team has the ability to configure, tune and improve its detection and response capabilities. Read more >
Mobile testing
Mobile applications have become an integral part of everyday technology. It’s really easy to develop an app for your business, however it does mean that the attack surface greatly increases and it could put your business at risk. During mobile app testing we look at the design, data handling, network communication and authentication. Read more >
Cloud Penetration Testing
As technology progresses we are moving more towards storing everything in the cloud. And as convenient as that seems, the ever increasing reliance upon a cloud system means the risks and implications are far greater. Cloud penetration testing assesses the security your cloud services in all environments – whether it’s Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS). Read more >
Intelligence Led Testing (Star)
STAR testing, or Simulated Target Attack Response testing, is part of the accreditation with CREST. LRQA Nettitude is a CREST STAR approved Threat Intelligence provider. What can you expect from these services? Well this assessment looks at an organisation’s digital footprint, and how that could impact on its cyber security strategy. STAR testing is broken down into three components; A STAR threat assessment, A STAR targeted attacked assessment and an incident response maturity assessment. STAR assessments are similar to red team engagements as they are focused on depth of assessment, and determining whether a specific objective can be achieved. They leverage the concepts of red teaming, however STAR assessments are designed to simulate known threat actors and their associated Techniques, Tactics and Procedures, (TTPs). Read more >
IOT Testing
Think about how many connected devices there are within your organization. All of these are at a significant risk of cyber-attacks. The number of connected devices has rocketed over the past few years and with this there is an increased need for these devices to be tested and protected. LRQA Nettitude works with creators of smart devices to provide assurance around the security posture of their devices. IOT penetration tests provide a valuable way to assess the security levels associated with a given connected device. Read more >
Managed Vulnerability Scanning
If you’re looking to get ahead of the latest threat actors within your environment then must be able to identify your vulnerabilities before they are spotted and exploited by someone else. Managed Vulnerability Scanning allows you to see where your vulnerabilities lie, and a comprehensive report will give you the advice and tools you need to remediate these problems. Read more >
Social Engineering
Rather than looking just at the technology that’s in place, social engineering identifies the need for the testing of human error. Clicking on links or documents within phishing emails or even visiting unsecure websites, all providing a backdoor into the corporate environment for an attacker to exploit. Social Engineering tests are designed to help assist organisations increase their security posture and reduce the risk of insider threat attacks. Read more >
Firewall Security Testing
If you have a firewall installed to help protect your business from a cyber-attack it’s important to have it tested to make sure it’s up to scratch. Instead of purely focusing on devices that are published through the firewall, the assessment focuses on the actual firewall itself. If the device is delivering IPSEC or SSLVPN services, these resources are assessed. Similarly, TCP and UDP packets are sent to the firewall and devices behind the firewall with non-standard flags being set. Through the responses that are elicited from these requests, LRQA Nettitude is able to enumerate the rules and policies that exist within the firewalling logic. Read more >
Web Application Testing
Web Apps are becoming increasingly more popular, but this also means that they are particularly vulnerable to attack. A web app handles sensitive data, so it’s important to make sure they don’t become a risk to a business. There are several stages to consider with Web App testing, including enumeration, vulnerability discovery and exploitation, all of which are important in identifying whether there are any risks to your networks. LRQA Nettitude’s team of web application testers have the highest qualifications in the industry. This means when it comes to the reporting stage of your web app test they can give relevant, qualified advice that will help your organization to become safer. Read more >