When protecting your organisation’s assets, penetration testing by an ethical hacker can be a useful weapon in the information security team’s arsenal. Penetration testing is used to test the organisation’s security countermeasures that have been deployed to protect the infrastructure – both physical and digital, the employees and intellectual property. Organisations need to understand the limitations of penetration testing and how to interpret the results in order to benefit from the testing
Penetration testing can be used both proactively to determine attack surfaces and the organisation’s susceptibility to attack, as well as reactively to determine how widespread a vulnerability is or if remediation has been implemented correctly.
What is penetration testing?
Penetration testing is a ‘moment-in-time’ test: it indicates the potential vulnerabilities in the system at the time of testing. A test that returns no vulnerabilities does not necessarily mean the system is secure; an unknown vulnerability could exist in the system that tools are not aware of, or the tool itself may not be capable of detecting a vulnerability within the system. This can lead to the organisation having a false sense of security. The Heartbleed vulnerability, for example, existed in OpenSSL for two years before being discovered.
What does a penetration test include?
A penetration test carried out by a good ethical tester will include use a variety of tools in both automatic and manual testing modes. They are driven by methodologies that ensure attack vectors are not overlooked, as well as the tester’s knowledge and expertise.
The term ethical hacker or tester means that they will conduct authorised tests within the agreed scope to the highest levels of ethical behaviour. They will not use information for their own purposes, or exceed agreed limits.
An organisation needs to carefully plan its use of penetration testing in order to maximise the benefits.
It can be part of an information security management system (ISMS) and will typically be used in the following areas:
- Risk management: determining the organisation’s vulnerabilities and the attack surface area.
- Vulnerability management: detecting vulnerabilities present in the organisation, determining the effectiveness of remediation.
- Assurance audit: testing implemented countermeasures.
- Regulatory compliance: part of auditing to determine whether controls have been implemented.
How to determine the penetration testing strategy
The testing strategy has to be developed to meet the organisation’s requirements, which should be driven by its mission objectives and risk appetite. It needs to be cost effective in that the testing provides some assurance on the attack surface area, confirms whether the vulnerability management programme is effective and that the controls are working.
The frequency of testing will depend on factors such as how dynamic the organisation is. Is the footprint of the organisation evolving? Are there frequent changes to infrastructure and applications? It will also depend on regulatory and standard compliance activities. The PCI DSS, for instance, specifies at least quarterly internal and external vulnerability scanning, combined with annual penetration testing.
The frequency could also be driven by being a high-profile, controversial organisation (consider how many attacks the NSA must contend with). There is no such thing as security through obscurity anymore: attackers are not just targeting URLs; if you were a small, unknown company a decade ago, you could have avoided attack, but with automated tools constantly scanning large swathes of IP addresses your digital footprint will be scanned and possibly attacked.
Frequency of penetration testing
A recommendation for many organisations could be a monthly internal compliance scan, with quarterly internal and external vulnerability scans conducted by a qualified tester rather than just automated scans. An annual penetration test on the external infrastructure and applications should be conducted by a skilled tester. Scans should also be conducted when significant changes are implemented on the infrastructure or within applications. If your internal network is segmented into security zones, then regular testing of the configuration is required. Social engineering testing – such as physical entry – should be conducted annually, as well as an annual phishing test of employees. When new vulnerabilities are reported – especially critical and high-level vulnerabilities – a scan of the infrastructure and applications may be required to determine the extent of the vulnerability.
As new controls and remediation activities are completed, testing should be conducted to ensure the work has been completed and the vulnerability has been sufficiently remediated. The level of testing could be determined by risk and business impact, with lower-rated systems being vulnerability scanned and high-importance or critical systems undergoing full penetration testing. Organisations may consider using a number of test companies to ensure the widest possible breadth of knowledge is brought against the attack surface, which will give the best chance of identifying vulnerabilities.
Management should be aware there is always a residual risk that a vulnerability has remained undetected. It should not be assumed that a clean test report is a true indication of the organisation’s security posture. Being vigilant and monitoring for signs of intrusion are part of the security profile organisations should be deploying.
IT Governance provides fixed-price CREST-accredited testing services that can be deployed by any organisation looking for better protection. To find out more about IT Governance’s CREST-accredited testing services, please click here.