Cyber attacks are cheap to conduct, but expensive for organisations that are hit by them. Botnets can be hired cheaply, hacking software is readily available, and even those without technical or practical knowledge can purchase attacks as a service.
Because attacks can cripple organisations’ systems, and they can face hefty fines and long-term reputational damage, they need to invest in defences to mitigate the threat of attacks.
That’s where penetration testing comes in. It’s essentially a controlled form of hacking in which a professional pen tester, working on behalf of an organisation, uses the same techniques as a criminal hacker to search for vulnerabilities in the company’s networks or applications.
Penetration testing is widely acknowledged as an essential part of cyber security. It can help organisations assess their security programme, test new applications or significant changes to business processes and meet regulatory standards such as the PCI DSS (Payment Card Industry Data Security Standard and ISO 27001.
There are five types of penetration test, each focusing on a particular aspect of an organisation’s logical perimeter.
1) Internal network penetration tests
The objective of internal penetration testing is to discover what an attacker with inside access to your systems could achieve. An internal test will typically:
- Test from the perspective of both an authenticated and non-authenticated user to assess potential exploits;
- Assess vulnerabilities affecting systems that are accessible by authorised login IDs and that reside within the network; and
- Check for misconfigurations that could allow employees to access information and inadvertently leak it online.
2) External network penetration tests
The objective of network penetration testing is to identify security vulnerabilities in how an organisation connects with the Internet and other external systems. This includes servers, hosts, devices and network services.
If an organisation’s interfaces aren’t designed correctly, criminals can enter the network and perform malicious activities.
Common network security issues include:
- Unpatched operating systems, applications and server management systems;
- Misconfigured software, firewalls and operating systems; and
- Unused or insecure network protocols.
If the network penetration test identifies any of these problems, organisations can fix the issues relatively simply – whether that’s installing the appropriate patches, reconfiguring the software, firewall or operating system, or putting in place a more secure network protocol.
3) Application penetration tests
The objective of application penetration testing is to identify security issues resulting from insecure development practices in the design, coding and publishing of software.
Applications are a vital business function for many organisations, being used to process payment card data, sensitive personal data or proprietary data.
Common website and web application security issues include:
- Potential for injection (the lack of validation allows attackers to control the user’s browser);
- Privilege escalation (users have access to more parts of the site or application than they should); and
- Cross-site scripting (the application takes untrusted data and sends it to a web browser without proper validation).
If the web application penetration test identifies any of these problems, organisations should adjust their processes to keep untrusted data separate from commands and queries, develop strong authentication and session management controls and separate untrusted data from active browser content.
4) Wireless network penetration tests
The objective of wireless penetration testing is to detect access points and rogue devices in an organisation’s secured environment.
Common wireless security issues include:
- Rogue or open access points;
- Misconfigured or accidentally duplicated wireless networks; and
- Insecure wireless encryption standards, such as WEP (Wired Equivalent Privacy).
If the wireless network penetration test identifies any of these problems, organisations should find the open access point (wardriving) and disable it, adjust security settings and update the wireless protocol to the industry-accepted protocol Wi-Fi Protected Access II (WPA2).
5) Phishing and social engineering penetration tests
The objective of phishing and social engineering penetration testing is to assess employees’ susceptibility to break security rules or give access to sensitive information.
Common social engineering issues include:
- Susceptibility to phishing emails;
- Willingness to hand over sensitive information to people without knowing who they are; and
- Giving people physical access to a restricted part of the organisation.
If the penetration tester is able to exploit any of these vulnerabilities, organisations should invest in staff awareness training to help them understand how social engineering attacks work and how they can avoid falling victim.
Penetration testing with IT Governance
If you’re looking for ethical hacking or penetration testing support, we are here to help.
Our CREST-accredited penetration testing services have been developed to align with your business requirements, budget and value you assign to the assets you intend to test.
We have a variety of fixed-price packages that are suitable for any organisation that wants to identify the exploitable weaknesses targeted by cyber attackers.
And with both on-site and remote testing options available, we can assess your networks in whichever way you find most convenient.