Cyber attacks are cheap to conduct, but expensive for organisations that are hit by them. Botnets can be hired cheaply, hacking software is readily available, and even those without technical or practical knowledge can purchase attacks as a service.
Because organisations’ systems can be crippled by attacks and they can face large fines and long-term reputational damage, they need to invest in defences to mitigate the threat of attacks.
That’s where penetration testing comes in. It’s essentially a controlled form of hacking in which a professional pen tester, working on behalf of an organisation, uses the same techniques as a criminal hacker to search for vulnerabilities in the company’s networks or applications.
Penetration testing is widely acknowledged as an important part of cyber security. It can help organisations assess their security programme, test new applications or significant changes to business processes and meet regulatory standards such as the Payment Card Industry Data Security Standard (PCI DSS) and ISO 27001.
Broadly speaking, there are four types of penetration test, each focusing on a particular aspect of an organisation’s logical perimeter.
Network penetration tests
The objective of network penetration testing is to identify security vulnerabilities in how an organisation connects with the Internet and other external systems. This includes servers, hosts, devices and network services.
If an organisation’s interfaces aren’t designed correctly, criminals will be able to enter the network and perform malicious activities.
Common network security issues include:
- Unpatched operating systems, applications and server management systems;
- Misconfigured software, firewalls and operating systems; and
- Unused or insecure network protocols.
If the network penetration test identifies any of these problems, organisations can fix the issues relatively simply – whether that’s installing the appropriate patches, reconfiguring the software, firewall or operating system, or putting in place a more secure network protocol.
Web application penetration tests
The objective of web application penetration testing is to identify security issues resulting from insecure development practices in the design, coding and publishing of software. Applications are a vital business function for many organisations, being used to process payment card data, sensitive personal data or proprietary data.
Common website and web application security issues include:
- Potential for injection (the lack of validation allows attackers to control the user’s browser);
- Privilege escalation (users have access to more parts of the site or application than they should); and
- Cross-site scripting (the application takes untrusted data and sends it to a web browser without proper validation).
If the web application penetration test identifies any of these problems, organisations should adjust their processes to keep untrusted data separate from commands and queries, develop strong authentication and session management controls and separate untrusted data from active browser content.
Wireless network penetration tests
The objective of wireless penetration testing is to detect access points and rogue devices in an organisation’s secured environment.
Common wireless security issues include:
- Rogue or open access points;
- Misconfigured or accidentally duplicated wireless networks; and
- Insecure wireless encryption standards, such as Wired Equivalent Privacy (WEP).
If the wireless network penetration test identifies any of these problems, organisations should find the open access point (wardriving) and disable it, adjust security settings and update the wireless protocol to the industry-accepted protocol Wi-Fi Protected Access II (WPA2).
Phishing and social engineering penetration tests
The objective of phishing and social engineering penetration testing is to assess employees’ susceptibility to break security rules or give access to sensitive information.
Common social engineering issues include:
- Susceptibility to phishing emails;
- Willingness to hand over sensitive information to people without knowing who they are; and
- Giving people physical access to a restricted part of the organisation.
If the penetration tester is able to exploit any of these vulnerabilities, organisations should invest in staff awareness training to help them understand how social engineering attacks work and how they can avoid falling victim.
Find out more about penetration testing
If you want to learn more about penetration testing and how we conduct our tests, you should watch our webinar Cyber security: protecting your business with cost-effective penetration testing. You’ll find out:
- How penetration testing can help prevent the most common types of attack;
- The differences between a penetration test and a vulnerability assessment;
- Why penetration tests are vital to uncovering vulnerabilities before criminals do; and
- How to conduct a penetration testing programme.
The webinar will take place on 1 November 2017, from 3:00 pm. If you can’t make it, the presentation will be available to download from our website.