Where Does Pen Testing Fit Into Our Security Strategy?

Penetration testing is used in many organisations as part of their wider security strategy. It is an invaluable tool in helping businesses understand where their vulnerabilities lie and how an attacker might exploit any holes in their IT environment to exfiltrate data, install malware or otherwise cause disruption. Here we will explore what penetration testing is, how and when it should be used, and what you should look for in your pen testing provider.

What is penetration testing?

As an IT or Security Manager, we have a number of different areas of our environment under our protection, which can be boiled down to our on-premises infrastructure, our cloud infrastructure and our applications. On-premises infrastructure comprises elements such as our hardware, operating systems, and any storage we might have. Cloud pertains to public cloud services such as Azure and AWS. And applications cover things like our website, software apps used by our employees or customers, and of course mobile applications.

Given that we have to look after all of these areas and defend our organisation from potential attacks, it’s important that we understand where vulnerabilities exist, which could be exploited by an attacker. This is where penetration testing comes in.

A testing company will usually start off a test by running an automated vulnerability scan. These come in two flavours - authenticated and unauthenticated. Unauthenticated scans inspect the security of a target system from an outside perspective. These scans provide visibility into what a malicious hacker might attempt to access without login credentials. In an authenticated scan, the tool uses login credentials to assess the network from an internal perspective, allowing it to pick up more information and build a more accurate picture of what the systems look like, meaning the vulnerability list is likely to be more comprehensive and relevant to that particular environment.

Following this automated scan, security testing companies then use manual testing techniques to try and exploit those vulnerabilities further. Here at Cognisys, we have blended security teams working on our client projects, with a CREST-accredited senior tester overseeing the engagement and leveraging manpower (and womanpower) from our junior team to complete the test.

The testers replicate how an attacker might try and infiltrate the network, providing businesses with insight about their weaknesses. This might be done across the entire organisation, if the business is undertaking a more generic test. Or it can be a more targeted test aimed at a new application, website, or network segment.

 Depending on the outcome required from the test, the testing company can use either black hat, white hat or grey hat testing methods. It is important to understand what an attacker with zero credentials into your environment could do. This is what’s known as black-hat testing, and is where we have to map out the network and try to find a way into the environment. However, given that social engineering techniques are now becoming more sophisticated, it is usually not that difficult to gain access to a network.

 It is therefore critical for organisations to complete what is known as white-hat/grey hat testing, meaning that network credentials or login details for a specific application are provided and the testing team can then see how far they can get. For example, if we are provided user credentials for a web application, our team would try and move laterally through the app to gain administrator credentials and then see what data could be accessed. 

How and When Should We Use Pen Testing?

Testing should be performed regularly. Depending on the size of your organisation, your propensity for internal change, your risk appetite and the industry you’re in, “regularly” may mean anything from every 6 months to every 2 years.

Industries like financial services, legal and healthcare are bound by more strict compliance regulations and held to higher standards by their users, given the sensitive nature of the data they hold. Businesses in these sectors, therefore, should look to include more regular testing to ensure data security and maintain confidence in the maturity of their cyber defences.

Regulations like ISO27001 and Cyber Essentials Plus require annual tests, but it’s important to not just use testing as a tick box exercise for passing your cyber-MOT for another year. Ad-hoc testing is crucial as new areas of your network come online or as you bring in new applications, such as websites and mobile apps. Extending your IT environment in any way, without adequate security testing, can provide hackers with a simple way to attack your organisation, so ensuring that you’ve considered vulnerabilities prior to going live is crucial to maintaining data security. 

What Should I Look for In A Provider?

We know that it can be difficult to find the right testing provider for your business. A lot of the time, organisations look at price to determine who they’ll work with, but I think it should be a little bit more nuanced than that.

As a testing company, we want to help you to improve your cyber security posture. We’re not here to complete a tick-box exercise and move on to the next client, we’re genuinely interested in helping you become more secure. We think it’s important that you find a company you consider a trusted partner to help guide you towards a more secure future.

Here at Cognisys, we have five core values:

• Honesty - we're a friendly bunch who are (mostly) from Yorkshire, so it's in our DNA to be honest and open
• Respect - our clients are the reason we all come into work. We treat everyone with respect and want to work in a partnership with our customers
• Fairness - we pride ourselves on providing our clients with fair pricing and if we can complete a job more quickly than we've quoted, we'll always give you back the difference
• Intelligence - we're not only a friendly bunch, we're also quite brainy! Making sure all of our engagements are overseen by a senior tester means that our clients consistently get a gold-star service from us
• Professionalism - we take extreme pride in our work and we treat every job with the same level of integrity. This means it doesn't matter whether you're a solopreneur or a household name brand, our approach is consistent.

So, if we sound like the kind of company you’d like to get involved with, drop me a note to [email protected] and I'd be more than happy to get a call set up!