Growing Cybersecurity Concerns Warrants Penetration Testing Consideration
The state of cybersecurity in recent years is highly volatile — perhaps more so than usual with the presence of a global pandemic. COVID-19 created unprecedented challenges that plague businesses across varying sectors and industries. Nowadays, many of these challenges remain a source of frustration, particularly in the dispersed workforce. According to a global research study conducted by Splunk and the Enterprise Strategy Group, organizations are still supporting double the number of remote workers compared to pre-pandemic norms, and no return to pre-pandemic levels is in sight. Furthermore, McKinsey’s report highlights that remote work will likely continue after the pandemic as 20 to 25 percent of the workforce can work from home between three–five days a week without losing productivity.
With many organizations embracing remote and hybrid work models, working from home has become a gateway for cybercriminals to explore new forms of data theft. In fact, a study by Deloitte reveals that 25 percent of all employees have noticed an increase in fraudulent emails, spam, and phishing attempts in their corporate emails since the onset of the pandemic. Coupled with research results indicating Canadian organizations are lagging behind their global counterparts in terms of cybersecurity investment, this may present cyber risks for businesses if they have poor technology infrastructure and inadequate cyber and data security1.
Consequently, as some degree of remote work persists into the foreseeable future, organizations will need to address operational challenges, including secure access to the corporate network, ensuring devices are securely configured, and securing access to cloud assets1. An optimal way to obtain visibility into which areas pose the greatest threat to your organization’s security is through penetration testing.
What is Penetration Testing?
Also commonly referred to as pen tests or ethical hacking, penetration testing is a security exercise where a cybersecurity expert intentionally tries to cyberattack your network or systems in an attempt to find vulnerabilities. Insights uncovered from the penetration test can be used to address those vulnerabilities and enhance your organization’s security policies.
For instance, this is like a financial institution hiring someone to act as a “robber” to burgle into their facility. In this analogy, the robber would be the cybersecurity expert or tester. If the robber successfully breaches the financial institution’s repository or vault, then the financial institution would obtain important information on how they can enhance or improve their security protocols.
Penetration Testing Versus Vulnerability Scan
The Payment Card Industry Data Security Standard (PCI DSS) requires both penetration tests and vulnerability scans to be done, and they are often confused for the same service but entail important differences2.
A vulnerability scan is typically an automated process that identifies, rank, and report potential vulnerabilities that, if exploited, may result in a compromise of your organization’s security or system. They are usually executed through automated tools in combination with manual verification of the reported problems2.
A penetration test simulates a cyberattack and aims to exploit vulnerabilities to circumvent and breach your organization’s security systems and features. This test is a manual process in which cybersecurity experts research your organization to look for vulnerabilities and try to demonstrate that these problems can be exploited. Penetration testing can include the use of vulnerability scans and other automated tools, resulting in a more comprehensive outcome and report2.
For instance, a vulnerability scan is like an individual walking up to your vehicle and checking to see if the doors are unlocked and stopping there. However, a penetration test aims to go further wherein the individual would not only check to see if your doors are unlocked but proceed to enter it and determine what else they can do in your vehicle.
Reasons to Conduct a Penetration Test
Do you know what vulnerabilities exist in your current infrastructure that cybercriminals could exploit? Do you understand the latest tactics that they are leveraging? Are you proactive in patching your security systems and devices?
The reality is cybercriminals have a strong understanding of the vulnerabilities in different technology and are constantly exploring new avenues to infiltrate and exploit your systems and networks. Here are some reasons why you should consider a penetration test:
- To uncover and fix your security vulnerabilities to protect your organization from security attacks: Penetration testing can unveil insights to help your organization better secure data and prevent infection of malware and disruptive cyberattacks.
- To stay compliant with various standards: Depending on the industry, your organization may need to conform to different standards. A primary example is PCI DSS requires annual penetration testing and after any significant changes, including infrastructure or application upgrade or modification, or new system component installations2.
- Help prioritize solutions: Even for large enterprises with a robust task force dedicated to security, vulnerabilities are inevitable, and it is an ongoing challenge to patch and mitigate all issues. Leveraging frameworks commonly recognized in the industry, such as a Common Vulnerability Scoring System (CVSS), a penetration test not only captures the characteristics and impacts of IT vulnerabilities but ranks them according to risk level2.
- Avoid incurring financial losses: Investing in your cybersecurity can be expensive, but the risk of a cyberattack can generate losses that exceed a penetration test. IBM reveals that the average data breach cost $4.24 US million in 2021, and remote working and digital transformation due to the pandemic increased the average total cost of a data breach by an additional $1.07 US million3.
Who Conducts the Penetration Tests?
It is ideal to have the penetration test conducted by a professional with limited knowledge of how your technology and systems are secured, as they may be able to expose vulnerabilities in the current systems. That is why external cybersecurity experts or ethical hackers are typically used to conduct the test. However, qualified internal resources can also perform the test for so long as they are organizationally independent, meaning they cannot be involved or affiliated with the installation, maintenance, or support of the target systems being tested2.
Individuals performing the penetration test are usually experienced developers, but additional certifications held by the tester could provide further insight into the skill level and competence of the individual. Here are some common penetration testing certifications the tester could have2:
- Certified Ethical Hacker (CEH)
- CREST Penetration Testing Certifications
- Offensive Security Certified Professional (OSCP)
- Global Information Assurance Certification (GIAC)
- Communication Electronic Security Group (CESG) IT Health Check Service (CHECK) certification
Types of Penetration Tests
While there are various different types of penetration tests — each with its own scope and purpose — here are the most common categorizations2:
- Black-box/Closed-box testing: A test would be performed without prior knowledge of the internal structure, design, implementation of the system or object being tested.
- Grey-box testing: A test is performed with partial or limited knowledge of the internal structure, design, implementation of the system or object being tested.
- White-box/Open-box testing: A test is performed with knowledge of the internal structure, design, implementation of the system or object being tested.
- Network-layer testing: A test that typically includes the external and internal testing of networks, such as LANS/VLANS, between interconnected systems, and wireless networks.
- External Penetration testing: A test performed against an organization’s systems that is connected or accessible to a public network infrastructure, including but not limited to their website and external network servers.
- Internal Penetration testing: A test performed against an organization’s network, including but not limited to their application-layer, network-layer, and critical systems — such as attempting to bypass internal access controls that are intended to prevent unauthorized access to systems from those who do not have authority.
Stages of Penetration Testing
To ensure a penetration test is successfully performed, there are different activities and processes to consider. The test process can be categorized into three primary stages — Pre-Engagement, Engagement, and Post-Engagement2.
Prior to the test being performed, it is recommended that all necessary parties, such as the organization and the individual performing the test, be informed of the type of test to be conducted, how it will be executed, and what system is to be targeted. The necessary parties would need to clarify the scope of work, provide detailed documentation to ensure no critical components are missed, stipulate clear rules of engagement, establish a criterion to determine success, and review past threats and vulnerabilities that the organization has encountered in the past 12 months, as required by the PCI DSS. A thorough pre-engagement will minimize errors and oversights that may result in a need for a retest to be performed2.
This is also the phase in which the penetration test takes place. Since each organization possesses unique technology and security aspects, the individual administering the penetration test would need to determine the most appropriate approach and tools needed to perform the test. A penetration test is a manual undertaking wherein the tester may utilize tools to optimize or alleviate certain repetitive tasks, but judgment is still necessary for choosing the appropriate tools and identifying possible attack vectors to exploit.
The penetration test should also be conducted from an appropriate location without inhibition on ports or services imposed by the Internet provider. If the tester is using an Internet connection provided to consumers and residences then they may have SMTP, SNMP, SMB, and other ports restricted by the provider to lessen the effects of malware and viruses. If an internal resource of your organization is performing the test, then it should be conducted from a neutral Internet connection to avoid impact from access controls that may be present in your corporate or support environment2.
After the test has concluded, results are typically compiled into a detailed report that can include insight into the specific vulnerabilities that were exploited, the type of data that was accessed, and the amount of time the tester was in the system undetected. Consequently, the organization can leverage these findings to remedy weaknesses in their systems and retest the identified vulnerabilities to help protect against future attacks.
To learn more about penetration testing and how Grand & Toy can support you, contact us today. Our certified Technology Sales Team will bring their years of expertise to help guide your organization's technology growth and can help you reduce the risk of cyberattacks through ethical hacking simulations.