As businesses continue to adapt and expand in a changing economic outlook, the need for securing your organisation against cyber attack has become more crucial than ever. Penetration testing reports show that 93% of network perimeters can be infiltrated, making finding and fixing vulnerabilities in your IT systems a core business priority.
Penetration testing is a fundamental component of your risk management programme because it helps you test your existing security defences, take control of your IT systems and infrastructure, and stay ahead of the hackers.
In this blog, we answer common questions about penetration testing, including explanations of popular test types and methodologies. We also highlight the importance of testing on cycles that work for your business, and why remediation efforts matter.
What is penetration testing?
Penetration testing (or pen testing) is a simulated, controlled cyber-attack carried out by experienced security professionals and is designed to discover and exploit vulnerabilities in your network and IT systems. The results from a pen test show vulnerabilities across your IT infrastructure, applications and employees, and provide remediation advice on how to reduce the risk of weaknesses being exploited in the future.
Why is pen testing important?
Pen testing keeps you one step ahead of threat actors. You could think of it as a practice run- an invaluable opportunity to find and fix your vulnerabilities before a hacker attempts to exploit them. Where failures do exist, it’s not about blaming developers or the IT team, but instead learning from the exercise so you know how and where to strengthen your defences moving forward.
Don’t forget to remediate!
Our research, has shown that even after a penetration test, a quarter of critical or high-risk vulnerabilities remain unfixed. This indicates that organisations are not acting upon the discovery of weaknesses found in their systems, leaving them exposed to cyber attacks and data breaches. A good penetration test should include a report with remediation advice that’s prioritised, so you get easy intel on what’s most important to fix first.
Why get a penetration test?
Penetration tests will uncover vulnerabilities that businesses didn’t know existed and help fix them before they can be exploited. They also provide up-to-date assessments of your security posture, which are important for meeting compliance standards such as PCI DSS and ISO 27001. With the GDPR also putting greater pressure on companies to protect stored and processed data, penetration tests help businesses to demonstrate that they take data protection seriously, and that they can be trusted with customer data.
Penetration tests often highlight lack of training in critical areas of IT and development, such as poor knowledge in hardening, secure configuration and development best practices. This can be particularly useful knowledge, as it will help bake-in security at the most foundational parts of your infrastructure.
How often do you need a pen test?
With constant technological advancements and changes to the threat landscape, the results of your pen test are never permanently valid. As most organisations cannot resource ongoing penetration testing from security professionals, pen tests are usually performed annually. Exceptions are:
- Enterprises with a large digital footprint requiring more frequent testing as they are considered high-value targets for cyber criminals.
- Certain industries that are governed by regulations requiring them to regularly carry out specific checks to remain compliant.
- Whenever you upgrade your IT systems, add new network applications, open a new office, or build a secure infrastructure for compliance purposes (such as ISMS implementations).
What are the different types of pen test?
There are several different types of penetration testing, with varying objectives, depth and duration. The type of pen tests your business needs will depend on your business requirements. Here are some examples of the most widely used types of penetration test:
Cloud penetration testing
Cloud services provide essentials services to businesses and are used every day. This makes penetration testing cloud technology vital for securing the infrastructure, applications and data that your business relies on. Cloud pen testing is designed to expose insecure functionality and misconfigurations in the cloud, with common vulnerabilities including Identity Access Management, lack of Multi Factor Authentication, and insecure APIs.
Mobile app testing
Mobile apps are a key part of many businesses service delivery, yet once released old versions can persist on end user devices for years. This makes regular mobile app pen testing an essential requirement for app vendors. For maximum effect, mobile app pen testing should be integrated into the software development lifecycle, resulting in a safer experience for the end user.
Network penetration testing
Network penetration testing, also called infrastructure pen testing, aims to exploit security flaws in traditional, non-cloud IT infrastructures. All kinds of security weaknesses are searched for, including insecure functionality in your networks and logic, missing patches, misconfigurations and more.
Web application testing
Web applications are the backbone of the modern web experience. With so much functionality and so many programming languages, security flaws can be introduced to apps at the earliest stages in their development. Web app pen tests scour the features and functions in apps as well as testing for technical flaws, such as SQL injections.
Whereas pen tests aim to enumerate your security flaws, a red team exercise simulates a real-world, determined adversary. Red team engagements typically include phishing and physical intrusion attempts in addition to traditional penetration testing techniques and have a more specific objective. Red team tests are mature exercises that test every element of a business’ operational, technical and procedural security.
Social engineering engagements test your non-technical, human, security defences. The most common form of social engineering attack is email phishing, where hackers attempt to trick your user into granting permissions, giving credentials, visiting malicious links or downloading attachments.
By conducting social engineering testing, you can understand where your non-technical security weaknesses lie and how to improve them – for example, educating your staff on how to detect and prevent common social engineering attacks. Other common social engineering prevention methods include regular security training, using multi-factor authentication, and integrating security into everyday behaviour at work.
Wireless penetration testing
Wireless pen testing is designed to uncover vulnerabilities, exploit network security flaws, and expose insecure functionality in your wireless systems. During a wireless penetration test, a pen tester will look to exploit systems, devices, and networks to uncover vulnerabilities from a variety of access points.
What is black, white and grey box testing?
Black, white and grey box testing refers to the different levels of access and prior information granted to the penetration tester before they start the test, and as such they provide different levels of detail depending on which type of box test is being used. The outcomes of a penetration test can depend on how much information is shared between an organisation and the pen test team.
Black box penetration test
In a black box testing scenario, penetration testers have no prior knowledge of IT systems or any login credentials, making the testing environment simulate that of a real-world cyber attack. Black box testing highlights how hackers could target your organisation without user access privileges, however, as no information is disclosed before the start of the test, various components may remain untested.
White box penetration test
A white box test provides full visibility and access for the pen testers conducting the test and allows for rigorous internal testing at all access levels. It can also provide a greater level of accuracy as testers know exactly what is in the environment that requires testing.
Grey box penetration test
Grey box penetration testing uses a hybrid approach between white box and black box testing methods. This is the most common form of pen test as it strikes a balance between time, cost and objectives. Typically, in this scenario pen testers have some knowledge about the target allowing the penetration tester to simulate an attack from the perspective of a hacker who has already breached your organisation’s network perimeter.
Penetration testing methodology
Best practices are an important part of any security assessment, so a good pen test will follow standard methodology:
- Scope definition & pre-engagement interactions
To gather your requirements and set appropriate goals to develop a tailored testing strategy
- Intelligence gathering & threat modelling
To gather as much security information as possible to inform the assessment
- Vulnerability analysis
To discover flaws in networks, systems and applications and what is making them vulnerable from attacks
To attempt to infiltrate your organisation
To determine the value of the compromised targets
To document the process and compile a comprehensive report, with recommendations on remediation steps to follow
By following this methodology, your business will gain maximum value from penetration testing and ensure the services you receive are repeatable and measurable.
- Pen tests can help protect your business by reducing the risk of a data breach while maintaining the confidence of existing and prospective customers, suppliers and partners that your business is secure.
- There are various types and approaches to penetration testing to assess your systems and network to see where your business is most susceptible to a cyber attack.
- Penetration tests should be performed regularly to keep on top of new security flaws.
- Consider out-of-band pen testing if your apps or infrastructure undergoes significant changes or development.
- Penetration tests will help align your business with security standards such as PCI DSS and ISO 27001, among other compliance regulations.