Benefits of Penetration Testing

Uploaded on 2016-09-01 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

The means to identify potential vulnerabilities in your systems and prevent threats from being enacted before they can occur is vital.

Each day, fresh malware strains and cyber-threat vectors are being authored, developed, and distributed in the wild. Fledgling hackers and “hacktivist” groups are learning the ropes. No matter how many security protocols and policies you have in place, and even regardless of the strength of your anti-virus, anti-malware, and other security software, there exists the possibility that someone, somewhere has the key to penetrating your defences.

Stolen or corrupted data, the siphoning of funds, the theft of credentials or user identities, infiltration of networks, espionage, sabotage, and mayhem could result – unless you have the means to identify potential vulnerabilities in your systems, and prevent threats from being enacted before they can occur. That’s where penetration testing comes into the picture.

What is Penetration Testing?

Penetration testing (also referred to as pen-testing) is a form of in-house or paid “ethical hacking”.

With permission from the host organization, members of its own IT staff or specialists from a trusted third party are given the mandate to use any means necessary to gain access to protected systems and networks, to exploit software and hardware for any vulnerabilities found, or to perform any other activity usually engaged in by malicious intruders, insider threat actors, and cyber-criminals.

Hiring a consultant isn’t cheap; most specialists bill by the hour, with rates dependent on their level of experience and expertise. But you can expect to pay a minimum of about $2,000 for the exercise. For this reason, many enterprises choose to do their testing in-house, employing the talents of their existing IT personnel.

There are also software products that conduct automated pen testing – the likes of Canvas, Metasploit, and Core IMPACT. But these programs may lack the human elements of adaptation and spontaneity needed to truly simulate the actions of hackers in the wild.

Penetration Testing – A Multi-Part Process

A penetration testing procedure should be ordered after each significant alteration to your organization’s IT infrastructure, and at least once a year. The testing should consist of several elements, including:

Real-world and Online Reconnaissance: The testers search the trade literature, media, contacts, and online resources to establish how much information may be gleaned about your organization from these avenues.

Probe for Points of Access: The testers will try to discover ways of physically getting into your network, such as open ports.

Attempts at Vulnerability Exploitation: Rigorous testing, using specialist software tools.

Brute Force Penetration Attempts: Sustained hacking of user credentials and passwords.

Social Engineering Tricks: An assortment of phishing ploys, to get email recipients to download attachments or click on baited links.

Network Infiltration: Testers will attempt to gain login rights to a computer in your network, and take control of it.

Pivoting: Having taken over a network resource, the testers will use it as a springboard to search for value targets elsewhere.

Collection of Corroborating Evidence: The testers will extract something from your network, to prove that they successfully got in.

Reporting to Management: The testers should present a documentary record of all their activities during the test.

Recommendations and Remediation: Based on their findings, the testers will identify points of weakness, and what needs to be done to fix them.

Black and White

There are two major classes of penetration test.

Black box testing occurs when the third-party testers are not given any prior information about the nature of the target network or system. This more accurately simulates conditions in the wild, as external hackers are required to probe and pry at their real-life targets, in an effort to find access points and weaknesses.

This contrasts with white box testing, in which testers are provided with network diagrams, passwords, application source code, IP addresses, etc., in an attempt to pinpoint existing vulnerabilities in a known configuration.

A Necessary Evil

Some due diligence needs to be engaged in, before agreeing to a third-party test. Pen testing is described as ethical hacking, but the testers involved are typically “White Hat” hackers – who presumably honed their skills by indulging in some unethical hacking activities, before “going legit”. So it’s a good idea to ask around and check their credentials, past work and testimonials online, before choosing a contractor.

Caution aside, the penetration testing process yields multiple benefits, for an enterprise.

1.    Plugging the Gaps

The issues thrown up by a penetration test will highlight the existing weaknesses in your system configurations and network infrastructure, as well as any lax practices on the part of your staff that could lead to data breaches, malicious infiltration, or worse. These can then inform the amendments you make to your security protocols, and suggest software and hardware alterations that can be made to plug these security gaps.

2.    Ensuring Continuity

Network availability, 24/7 communications, and customer or user access to the resources you provide are essential to your business operations. Any disruption to this continuity (say, a data breach, or Denial of Service attack) will have a negative impact on your operations and your bottom line. Penetration testing can throw up potential threats to all these areas, and help ensure that your business doesn’t suffer from unanticipated downtime or inaccessibility issues.

3.    Meeting Compliance

Industry and legal requirements dictate that a certain level of pen testing is compulsory. For example, the ISO 27001 standard requires all managers and system owners to conduct regular penetration tests and security reviews, using competent testers. PCI DSS also demands penetration testing for relevant systems.

4.    Maintaining Trust

Falling victim to a cyber-assault or data breach is a sure-fire way to lose the confidence and loyalty of your customers, suppliers, and partners – especially if the damage affects them, personally. But being known as an organization that regularly conducts security reviews and penetration testing can effectively reassure all stakeholders that their data, transactions, and your business are all sound.

5.    Enhancing Quality Assurance

If your organization deals in software, consumer goods, or other products dependent on a strong IT infrastructure to drive innovation and development, a secure production environment subjected to regular pen testing will enhance your standing in the market, and assure your buyers of a consistent and high standard.

6.    Rounding Out Your Defences.                                                        

Penetration testing is a powerful weapon in your security arsenal; it’s an ideal training tool for network security personnel, and their automated security systems and software. But it shouldn’t be relied on in isolation. Instead, pen testing should be employed as part of a suite of measures including updates and security patches for operating systems, Web browsers, and office software, user education, security software provision, threat intelligence, and the drafting of strong policies.

FinJam: http://bit.ly/2aCBe2w

 

« Cybercrime Links To Russian State Hackers
CIA Sees Intel Data Flood As Both A Benefit And A Danger »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

StormWall

StormWall

StormWall is an Anti-DDoS protection service for websites and networks. We offer 100% protection from all types of DDoS attacks and 24/7 technical support.

OneTrust

OneTrust

OneTrust is the largest and most widely used technology platform to operationalize privacy, security and third-party risk management.

Cytelligence

Cytelligence

Cytelligence is a cyber security consulting company with deep expertise in Cyber Breach Response, Cyber Breach Investigations, and Digital Forensics.

SITA

SITA

SITA is a multinational information technology company providing IT and telecommunication services to the air transport industry including vulnerability assessments and managed security services.

Cybersecurity Center for Secure Evolvable Energy Delivery Systems (SEEDS)

Cybersecurity Center for Secure Evolvable Energy Delivery Systems (SEEDS)

SEEDS conducts research and develops innovative cybersecurity technologies, tools, and methodologies that advance the energy sector’s ability to survive cyber incidents.

PSafe

PSafe

PSafe is a leading provider of mobile privacy, security, and performance apps. We deliver innovative products that protect your freedom to safely connect, share, play, express and explore online.

Sydeco

Sydeco

Sydeco offer a complete range of products that secure computer and industrial networks, servers, programs and data against any type of computer attack.

Valence Security

Valence Security

Valence manages and secures your Business Application Mesh by delivering visibility, reducing unauthorized access and preventing data loss.

Upstack

Upstack

UPSTACK - One partner, end-to-end expertise, helping develop the solutions you need – when you need them.

PROVINTELL Cyber Security

PROVINTELL Cyber Security

PROVINTELL is a Managed Security Service Provider (MSSP) specialising in Next-Gen Cyber Defense and Response to detect and respond to threats.

Google Cloud

Google Cloud

Accelerate your digital transformation. Whether your business is early in its journey or well on its way to digital transformation, Google Cloud can help solve your toughest challenges.

CyTwist

CyTwist

CyTwist is an early warning attack detection platform that complement your existing security suite and provides your security teams with unique detection capabilities of stealth targeted attacks.

Screwloose IT

Screwloose IT

Screwloose IT are a national provider of information technology services. We specialise in managed IT, cloud services, cyber security, website design and digital marketing for businesses of all sizes.

Atumcell

Atumcell

Atumcell’s targeted risk assessment exposes emerging threats before they cause harm.

Black Bison Cyber

Black Bison Cyber

Black Bison Cyber is a premier cybersecurity firm specializing in elite, discreet, and highly personalized digital protection for high-profile individuals and executives.

Cyberscope

Cyberscope

Cyberscope is a Web3 security firm specializing in smart contract audits, crypto security audits, and blockchain vulnerability assessments.