It is not unusual these days, that in response to changing compliance requirements or customer expectations, your company finds itself called upon to conduct a “Penetration Test”. “Sounds painful”, you say, “and what the heck does that mean, anyway ?”
In this article we demystify the term “Penetration Test” and explain why you should not only be willing to conduct the exercise, but should actually be excited about it. We will compare and contrast “Penetration Testing” with “Network Vulnerability Assessments” and provide some guidelines about when it is appropriate to perform one versus the other. We will finish with some recommendations regarding how to engage a firm to perform the work.
Its All About Vulnerabilities
Presumably, the reason that you are pressed upon to conduct a Penetration Test is to assess your cybersecurity posture and reassure (or not) your stakeholders that their interests are not being placed at increased risk by conducting business with your firm. It can be further assumed that increased insight into any detected security vulnerabilities in your network and servers will motivate you to eliminate them.
Both Penetration Testing and Network Vulnerability Assessments are about finding and reporting vulnerabilities: security weaknesses that you will likely want to eliminate to reduce the risk of a breach. We will distinguish the two later, but let’s add a little more background first.
Internal and External Scope
Your firm’s IT resources can be divided into to two groups: devices that are behind a firewall and not directly accessible to the outside world, and those that can be accessed through the internet. We refer to the first group as “internal” devices and the latter as “external” devices. It can be said that external devices are “public” facing, since anyone on the internet can interact with those devices.
The distinction is important because there is obviously more risk associated with your external devices, which are constantly scanned and probed by malicious robots seeking to discover exploit vulnerable targets of opportunity. This why the testing of external devices is often given a higher priority than the testing of internal devices. Internal devices must also be tested, however, to find and address those that contain old software and/or malware.
What Is A Network Vulnerability Assessment ?
The purpose of a Network Vulnerability Assessment is to discover and document any security weaknesses in the devices scanned. There are many tools available for this purpose, some of which are free, and they will detect and report vulnerabilities in target host’s operating systems and services. Reported vulnerabilities are rated according to severity and are often, depending on the tool, accompanied by recommendations for remediation.
A vulnerability scan of external devices reports on what is exposed to the public such as the version of the operating system and publicly accessible services, whereas a scan of internal devices will often also utilize login credentials to provide a detailed view of the software installed on the target machines.
Note that Network Vulnerability Assessments are essentially reports derived from the automated scans of targets, and the resulting output can be enormous, technical, and complex. Since the insights produced by a Network Vulnerability Assessment are useless unless they are actionable and prioritized, it is therefore very important to utilize an assessor who can distill the output into a understandable form and communicate results and priorities clearly.
The risk that a Network Vulnerability Assessment will negatively impact ongoing operations can be controlled. Most tools will allow you to control the “aggressiveness” of the scan, which will produce more or less insight as a tradeoff for the risk of negative impact on the target. Generally speaking, by default, scanning is unobtrusive and the default settings of most tools balance safety and useful reporting.
What Is A Penetration Test ?
A Penetration Test is a more comprehensive cybersecurity assessment process that may include a Network Vulnerability Assessment. The purpose of a Penetration Test is to find and exploit security vulnerabilities. The scope of the test is thus very important and must be governed by mutual expectations regarding:
- Target Discovery: How much information will be provided to the tester in advance of the test ? In blind (a.k.a. Blackbox) Penetration Tests, the tester must discover targets on their own. Less information provided up-front can produce a more realistic but more expensive test.
- Reconnaissance: How much time should be spent researching the public information footprint of the target.
- Social Engineering (SE): Whether the test should include SE threat vectors such as such as Phishing, scam phone calls, and weaponized removable media drops.
- Physical Security: Whether the test should include attempts to breach physical security.
- Penetration Scope: If a device can be breached, should the tester use it in attempts to breach other internal devices ? In other words, what is “in-scope” within the internal network for additional penetration testing ? Should the tester attempt to exfiltrate data ?
- Overt or Covert: Will the target firm’s staff be aware that testing is underway during the test ?
It Is Not Without Risk
There is inherent risk in penetration testing because it is conducted against production systems and ongoing operations, and is more intrusive than Network Vulnerability Assessments. It is therefore critical that the tester have signed documents granting permission for the specific tests being performed and have a list of client contacts handy to communicate with should something unexpected occur.
Ideally, the tester will endeavor to preserve or restore any and all impacted environments to a pre-test state.
The Rewards of Penetration Testing
Penetration Testing can yield invaluable insight into the true security posture of your network and operations. It has the ability to produce a prioritized list of remedial activities to strengthen your security. It may also yield collateral benefits such as determining whether your IT staff can detect a breach, and how effectively they respond. Depending on the scope, it may illuminate operational vulnerabilities such as a lack of employee awareness or weaknesses in physical security.
The bottom line is that there is no better way to prevent attackers from finding ways to breach your security than for you to discover those ways yourself first and eliminate them.
When To Penetration Test
Because a Penetration Test involves the exploitation of discovered vulnerabilities, Penetration Testing should be conducted only after all efforts have been made to secure the physical facilities, network infrastructure, organizational awareness, and operational processes.
In other words, Pentesting should be the most intense and rigorous cybersecurity testing applied to the organization, and makes it appropriate only at a certain level of maturity. That maturity comes through formal Risk Assessment studies, previous rounds of Network Vulnerability Assessments, the successful remediation of findings, employee security awareness, anti-phishing campaigns, and the adoption and governance of appropriate Information Security Policies.
Premature Penetration Testing will only tell you what you already know– that you have vulnerabilities and could be breached. It does not tell you all the other things you should be doing to reduce your risk of breach.
Finding a Suitable Penetration Testing Firm
We suggest you read our article entitled “On Hiring a Hacker” to learn more about the decision process and guidelines for selecting a suitable vendor to perform your Penetration Testing. It also discusses training your own staff for this role.
About Affinity IT Security
We hope you found this article to be useful. Affinity IT Security wants to help you strengthen your security testing, and train your developers and testers. In fact, we train developers and IT staff how to hack applications and networks.
Contact us to learn how we can help protect your enterprise with a long term risk-based cybersecurity plan.