What is Penetration Testing and Why Is this Important?
Penetration testing is only one aspect of a vulnerability management plan but a proactive approach that brings tremendous value.
Given the fact that the internet has levelled the playing field for many small businesses to operate and compete globally, it makes sense for organisations that venture online to understand more fully what it means to take that business online. It is not only organisations who conduct e-commerce transactions that may be susceptible – even those who are heavily reliant on having an internet presence may suffer should their online brand be affected.
As we have seen in the news, attacks occur against all kinds of businesses. The question to ask yourself is whether you believe that the product or service you provide could be of value to attackers, thus leaving you vulnerable.
There are a variety of security measures that can be taken. Penetration testing is one such measure.
So, what is penetration testing?
Penetration testing (pen-testing or pentesting) is a method of testing, measuring and enhancing established security measures on information systems and support areas. It is also known as a security assessment 1.
“The term ‘penetration testing’ has become muddled of late. For me, a true penetration test is one whereby the tester is emulating an attacker attacking an organisation or targeting a human being.
We reached out to Daniel Cuthbert, who has been a penetration tester since the mid 90’s to get some insight into what pentesting involves.
The term ‘penetration testing’ has become muddled of late. For me, a true penetration test is one whereby the tester is emulating an attacker attacking an organisation or targeting a human being. There are no restrictions placed upon said approach, as this wouldn’t be the case in the real world. This type of testing allows an organisation to see how they’d handle such an attack and how their policies and procedures would stand up. For example, are they able to detect a breach and if so, have staff been suitable trained and aware of the next steps to take?,” Daniel commented.
Briefly, a good penetration test looks at every possible flaw that could be used to gain access to data or systems or that could be used as a foothold for further attacks.
What is involved in a good pentesting exercise?
Pentesting is merely one aspect of what organisations could do as part of a vulnerability management plan. In forming such a plan, the critical items that need to be assessed are :
1. The process for determining what sensitive data or systems exist within the company
This helps to determine the level of testing to be undertaken and the type of security required. Daniel recommends a threat modelling exercise be completed so as to think about security objectives, surveying the landscape, identifying threats and then finally, identifying vulnerabilities.
2. A structured testing plan
Once you’ve determined what you have to deal with, across your overall network, and other sensitive applications or services, you can use this information to draw up a structured testing plan. The aim is to ensure that systems are secure and do not pose any risk to the organisation and the plan could include quarterly vulnerability scans and manual penetration tests.
“Often, large organisations have a team within the IT security department whose sole job is to manage and schedule security assessments. They sit with the task of determining what should be tested, how frequently (depending on regulations, legal requirements or internal policy decisions) and who should be performing the assessment. It’s common to have an internal security assessment team for all internal assessments and a list of trusted and vetted suppliers who perform external assessments”, Daniel added.
As more business systems are being migrated to the cloud, Daniel stresses that being aware of the vulnerabilities reported and understanding how this might affect business is critical.
A vulnerability assessment need not cost a lot. However, you do need to be aware of what you have and how it should be protected.
Should every organisation include vulnerability management as part of the security plan?
Ideally, any organisation that has a large attack surface area (be it traditional networks or those in the cloud) should have a fully-functional vulnerability management programme. This programme would address the identification, classification, remediation and mitigation of vulnerabilities discovered during the automated and manual assessment phases.
It need not cost a fortune
A vulnerability assessment need not cost a lot. However, you do need to be aware of what you have and how it should be protected. “This is part and parcel of a standard business approach when performing business on the Internet”, Daniel stressed.
What can cause some ambiguity though, is the regularity of pentesting. According to Daniel, this should ideally be conducted quarterly or monthly and there should be an automated vulnerability assessment process put in place. Organisations would use this to keep abreast of reported vulnerabilities as well as ensure that current systems and networks are being tested.
However, in the case of any manual assessment, this should be conducted whenever significant change is made to a network or application. This ensures that no vulnerabilities are introduced, which would typically pose a risk to the organisation.
The kind of data you are trying to retrieve when conducting pentesting is, to a large extent, dependent on the type of business you run. Overall however, you are trying to see how and where your system may be exploited and what sort of data may be considered lucrative, to an interested outsider looking in.
At SensePost (where Daniel works), they typically mimic the approach attackers take when exploiting systems.
“Often with today’s attackers, the goal is access to data or content, which could then be sold. In some instances, this means turning into a sleeper, whereby someone sits on the network for months on end, patiently waiting for information to appear. Our goal is to perform an assessment that allows our clients to fully see the impact of a controlled attack and also to understand how they withstand such an attack, such as detecting it or being able to act in accordance with their own IT security policies,” Daniel explained.
Vulnerability management is part on a comprehensive security plan. While penetration testing is a proactive process, there are also a number of defensive procedures that organisations can employ to better protect themselves.
Key to this approach is understanding your environment. As Daniel asserts, you need to know what you have and also understand potential attack vectors. Understanding both elements allows those in control of your network and your IT to make better-informed decisions about the kinds of defensive measures to put in place.
As an example, if your business has recently made a decision to allow staff to bring, and use, their own devices on the network, there should be an understanding that this would allow potentially compromised devices on your network. This would require architecture and policy changes to stop them from infecting the business.
It’s hard to escape the fact that how we do business as well as how we work in today’s world involves a great amount of technology, some of which we understand and some we don’t. This reliance on technology impacts our choices in terms of how we run our business, how our business is marketed and presented to the world, how we work collaboratively and how we are perceived.
It stands to reason that if we invest the time and resources in our business, product development, marketing and people, then we should devote resources to data management and systems security as well. The price to be paid for ignoring this issue simply because no loss has been suffered as yet could be catastrophic.
The reality is this : too many only begin down this road after they have been hurt – once the hackers have gotten into their site and/or made off with valuable data. Pentesting helps you to take charge of your security assessment and brings you closer to finding out potential areas of vulnerability. For this reason, pentesting should be in your arsenal today.
The question you have to ask yourself, if you still doubt its value – what do I have to lose if I don’t?
If you’re interested finding out more about penetration testing, these articles below should provide some relevant insight :
- How often should you conduct penetration testing? by Violet Blue
- What Is A Penetration Test And Why Would I Need One For My Company? by Eric Basu
- The Five W’s of Penetration Testing by Chuck Willis
- Security Penetration Testing – Should You Do It? by R Craig Peterson
Daniel Cuthbert is the Chief Operating Officer at SensePost and has been a penetration tester since the mid 90’s. He has an obsession with tracking down Internet Jihadi’s, is the original author of the OWASP Testing guide and holds two masters degrees. He suggests you check out the Risky Business netcasts.