In this blog post, we will cover all the details about penetration testing and how -when done properly- it can help your company.
What exactly is Penetration Testing?
Penetration testing, also called Pentest, is one of the most popular topics in today’s information security world. It is a security testing process applied to detect security vulnerabilities in computer systems, networks, and web applications.
These security tests are performed by “authorized” people (so-called ethical hackers) in order to detect logic errors and vulnerabilities in the specified information systems and to prevent the exploitation of these security vulnerabilities by malevolent people. Thus, suggesting measures to increase security levels of the tested environments. The main purpose of a Pentest is exploiting the related vulnerability and trying to obtain unauthorized access in a way without harming the system, rather than detecting vulnerabilities only.
A typical pentest process consists of stages listed below:
- Customer meeting (gathering information and talking about test conditions)
- Kick-off (scanning the test scope)
- Vulnerability scan (scanning the networks provided by the customer)
- Manual exploitations (detecting false positives, attempting to gain unauthorized access)
- Scenario execution (pre-defined scenarios with or without prior knowledge about systems)
- Pentest report (including detected vulnerabilities and measures against those)
- Final meeting (presenting test report and suggestions)
Why do companies need Penetration Testing?
Pentest is one of the first steps of proactive security and helps you and your organization stay ahead of hackers. In a Pentest, a team of ethical hackers finds security vulnerabilities in your application, network, or system. Thus, helping you fix them before attackers take advantage of these issues and exploit them. There is no definition of a 100% secured system and there is no limit to the techniques that attackers will use to exploit the system. Possibilities of techniques vary around malicious people according to their experience with operating systems, software development skills, and information systems. Besides, it is always a decent choice to check the security vulnerabilities in your information systems by a third party.
Another important issue to mention here is that a pentest is not merely a vulnerability scan. We will talk about this in detail later, but we experience a lot of companies using only vulnerability scanning tools and claiming that they have performed pentests themselves. However, that is far away from reality.
How can Penetration Testing help your organization?
Needless to say, pentests provide various advantages and promising improvement potential for the tested environment. The most common advantages for your organization can be summarized as;
- Exploit vulnerabilities
Penetration testing explores existing weaknesses in your system or network infrastructure. A report informs you of your security vulnerabilities so you know what software and hardware improvements you must consider.
- Display real risks
Penetration testers try to exploit identified vulnerabilities. That allows companies to see what an attacker could do in the ‘real world’. They might access sensitive data and execute operating system commands.
- Ensure business continuity
To make sure your business operations are up-and-running all the time, in which you need network availability, as well as 24/7 communications. Each disruption will have a negative impact on your business. Penetration tests reveal potential threats and help to ensure that your operations do not suffer from unexpected downtime or a loss of accessibility.
- Follow regulations and comply with certification requirements
Your industry and legal compliance requirements may decree a certain level of penetration testing. Think about the ISO 27001 standard, TISAX®, or PCI regulations, which requires all managers and system owners to conduct regular penetration tests and security reviews, with skilled testers.
- Reduce cyber-security insurance premiums
Most Insurers will reduce the cyber-security insurance premium once you provide proof of a penetration test. Think about it, it is cheaper for them to ensure a secured network than an unknown one.
Types of Penetration Testing
There are various types of penetration testing available. Before selecting a suitable provider and methodology, it is always a good start to be familiar with the types of Pentest available, as engagements vary in focus, depth, and duration. Common ethical hacking methods include:
- Internal/External Infrastructure Penetration Testing
An assessment of on-premise and cloud network infrastructure, such as virtual system hosts, routers, and switches. Also, Pentest can be framed as either an internal penetration test, focusing on assets inside the corporate network, or an external penetration test, targeting also corporate networks infrastructure which can be reachable from the internet. To scope a test, you will need to know the number of internal and external IPs to be tested as well as network subnet size.
- Wireless Penetration Testing
A Pentest that specifically targets an organization’s WLAN (wireless local area network), including wireless protocols and Bluetooth. Additionally, it helps to identify access points, weaknesses in encryption and WPA vulnerabilities. To be able to conduct Pentest, testers need to know the number of wireless and guest networks, locations and SSIDs to be assessed.
- Web Application Testing
A comprehensive assessment of websites and custom applications specifically delivered over the web, checking the uncover coding and development flaws that could be maliciously exploited. Before approaching a web pentest, it’s vital to clarify the number of apps that need testing, also including the number of static pages, dynamic pages and input fields to be assessed.
- Mobile Application Testing
Applying mobile applications pentest on operating systems, which are IOS and Android, to identify authentication, authorization, data leakage, and session handling exploits. To scope a pentest, testers need to know the operating system types as well as versions. Moreover, testers can utilize an app to be tested on, the number of API calls, and requirements for jailbreaking.
TISAX®, ISO 27001 and Pentests
As you might know, there are various international and industry-specific standards for information security. ISO 27001 is the international standard for information security. On the other hand, TISAX® is the standard for the automotive industry when it comes to information security.
Why are we telling this? Because both standards require a safe and secure infrastructure for information security. Regardless of the clients’ industry, the client needs to have valid proof that regular vulnerability scans are being made. The results are being checked and respective security measures are taken. Having said that, soon we will cover the differences between penetration testing and vulnerability scanning.
In addition to that, quality management standards like IATF (QM for the automobile industry) also require pentesting results as proof of security from audited companies.
Long story short, the bigger the company, the more detailed pentests needs to be executed as per the information security standards. Thus, penetration tests are better provided via 3rd party professional service providers. Hence, ethical hackers.
What is the difference between Penetration Testing and Vulnerability Scanning?
Penetration testing and vulnerability scanning may be considered identical for many people. On the other hand, they are like two sides of one coin. They are quite different, on the other hand they bond with each other. Vulnerability scans look for known vulnerabilities in your systems and report potential exposures. Penetration tests are intended to exploit weaknesses in the architecture of your IT network and determine the degree to which a malicious attacker can gain unauthorized access to your assets.
After the vulnerability scan, we may use results as an indicator to focus on a deeper perspective and exploitation of penetration testing. That is why we use them in combination.
The evaluated results of a Pentest are vital assets for assessing the current security level of your IT systems. These results can also provide your company’s responsible managers with insightful information about identified security gaps, their actualities, and their potential impacts on the system’s functionality and performance. A seasoned penetration tester also presents Pentest results with a list of recommendations for their remediations as well as guide customers to develop a reliable security system, according to OWASP and CVSS, and to prioritize their future cybersecurity investments. Even though a Pentest may involve the usage of automated tools, the focus is mostly still on the manual skills, professional knowledge, and experience of penetration testers.
After the Pentest, which path should I follow?
As important as having a Pentest, it is much more important to evaluate the results and act. Unfortunately, the most common mistake is to have a Pentest done quickly, examine the report, and close very urgent vulnerabilities only. It is a common situation that medium-level vulnerabilities are not closed after the Pentest and the same vulnerabilities appear again in the next Pentest run. In order to have a high added value for the work carried out, it is recommended to apply at least the following items:
- Presenting the results to the management within the scope of a risk map, instead of just naming vulnerabilities (if this vulnerability is exploited by hackers, that will be the impact, etc.)
- Examining the report in detail and determining who is responsible for each finding.
- Meeting with system administrators and software developers and sharing the results.
- Follow-up of the closing of findings.
- Determining the next Pentest time
Security attacks may compromise your infrastructure as well as sensitive data, which might lead to critical damage to the company’s reputation and affect the business financially, operationally, and legally. Therefore, Pentest can definitely assist you to avoid costly security breaches. Likewise, combining Pentest with Vulnerability Scanning always would be a convenient idea to have more meaningful insights on vulnerabilities and potential breach points in your IT infrastructure.
Overall, from a security perspective, only Pentest can make a realistic assessment of your company’s “health” and its resistance to cyber-attacks. Also, Pentest can declare the strength of your company’s IT infrastructure whether successful or unsuccessful on a malicious attack. Most importantly, it can help you prioritize your security investments, comply with industry regulations, and develop underlying and comprehensive defensive mechanisms so that your business will be protected from future intruders in the long run.
Can Adiguzel is the founder of 360 Digital Transformation. He is in IT-Project Management more than 11 years. He is passionate about Information Security for Mittelstand and helps Mittelstand to overcome their Information Security challenges using a hands-on consulting approach.