Pen Testing is BAU.

In Information Technology, "Change is the only constant", as Heraclitus wrote over 2000 years ago. He was probably right then, but he’d undoubtedly be right today. Change is a constant in modern IT systems, even those that have been deployed for a few years and thought of as stable.

IT system change over time occurs for many reasons. Operating and application updates are applied through the Dev-Test-Live UAT cycle. Critical security patches are applied in response to an emerging threat. IT Administrators make small tweaks to servers to address immediate issues, and these changes often are not applied to all servers. So, server configuration creep happens, which can lead to security issues. To stretch a concept from the physical sciences to breaking point, you could say that entropy and The 2nd Law of Thermodynamics applies just as well to an IT system as it does to other parts of the Universe. Over time IT systems tend to disorder.

This has implications when it comes to the security of IT systems and the services they are delivering to users. It’s mandatory in most cases for a new application deployment to undergo extensive security validation before it is released for production use. A significant part of this validation is a penetration test (Pen-Test) executed by an independent team of experts who will expose the application infrastructure to all the known security vulnerabilities, and then report on their findings. As we have seen, IT system configuration drifts over time, and this can introduce new vulnerabilities that were not present during a first Pen Test.

Essential Maintenance

Many organisations see pen testing as a box-ticking exercise. Something on the application project plan to be signed off before go-live. However, it is so much more than this.

Pen testing is comparable to the maintenance that you perform periodically on a car, and then over the years that it is in use. The initial setup and check of the vehicle is like the first Pen Test performed on an IT system. Both involve experts ensuring that everything is configured correctly and safe. Only when they are happy that it is safe do they release it for production use — driving in one case, delivering IT services in the other.

In the case of a car, hopefully, it is regularly brought back to the experts in the dealership to be checked over and have any issues that have appeared since the previous check fixed. IT systems required the same care due to the configuration creep outlined above. There is a strong case for having very regular external pen tests of IT systems over time to ensure security is maintained. This is very important given the new legislation like GDPR and NIS EU introduced in the EU, and increasingly worldwide.

Everyone understands that the proper maintenance and upkeep of a car is essential to ensure it delivers its core function when needed and that it is safe to operate. The same is true for IT systems.

Modern Pen Testing

Pen testing today goes well beyond what it traditionally did. It includes the network infrastructure components of a system, like firewalls, routers, load balancers, DNS servers, and other core networking functionality. As applications have become more complex over time, so has the surface area they present for attackers. Not all the weak points are technical either. The human factor is a big part due to phishing and social engineering attacks. Advanced pen testing covers these headline areas:

Network infrastructure - the core networking components such as routers and firewalls. This is what most people think off when they think about a Pen Test.

Application servers - database, email, file, authentication and other servers that are providing application services.

Web application servers - a significant volume of business applications are delivered as web apps today. Web apps use many tools like .NET, ActiveX, Java, third-party code libraries and APIs (in many languages like JavaScript, Python, Ruby, Go, and more). All these present a tempting target for attackers and its essential that Pen Tests cover them.

Mobile Apps - mobile apps on Apple iOS and Google Android are now ubiquitous in business. They come in both native apps built using dedicated development tools, and as simple wrapper apps for web sites and apps. Both need testing for vulnerabilities as they are access points into business networks.

Internet of Things (IoT) - the fabric of the world is rapidly becoming smart via embedded IoT sensors and devices. Many of these IoT devices have poor security, but even those with proper security provision can often be poorly configured. This proliferation of IoT infrastructure presents a huge target surface area for attack. Who thinks about the security implications when a set of vibration sensors are added to your buildings lifts to check for potential failures? Everyone should.

Human factors - people are the weakest link in a security chain. Malicious actors know this and target them via malware, phishing attacks and in some cases, by physical access to their work areas looking for passwords on notes. Advanced pen testing has to include the human factor in security.

Part of an Overall Security Strategy

Pen Testing is much more comprehensive than the external network infrastructure tests that used to be the sum of the process. It also needs to be part of a broader security process.