Penetration testing is one of the most effective tools for helping protect your assets and information. There is also a lot of hype and mixed messaging around what is commonly referred to as ‘pen testing’.
To bring some clarity to this topic, we asked Loop Secure’s David Morrison, General Manager - Governance, Risk and Compliance & Offensive Security, for his top tips on what you should know when conducting a pen test, allowing you to make the right decision on how to undergo this critical security strategy.
Clarifying Penetration Testing
Penetration testing is an offensive security strategy that tests your security controls and helps find weaknesses and gaps you may not be aware of.
The testers themselves leverage attack techniques and strategies, in the same manner a malicious actor would. As a result, the penetration testers may discover new or unknown vulnerabilities within your systems, applications and infrastructure. The reason penetration tests are so effective is that they simulate the actions of a real life malicious actor.
As Morrison explains: “There are a number of different tools, techniques and skillsets that are required for performing a successful penetration test. For instance, automated vulnerability assessment tools are used to help automate parts of the process and help find known vulnerabilities across your assets and network.
Even leveraging off-the-shelf tools requires skills in understanding every aspect of the tool in question, ensuring it is used effectively and does not miss any specific vulnerabilities.
We quite often work with clients where they have run the same tool in-house that we use during penetration tests but have only found a small percentage of the vulnerabilities we have identified in this first stage of the test.
This is due to not having the in-depth knowledge of how the tool works and the underlying network protocols being analysed. This is something we do at Loop day in and day out, constantly developing and maturing our assessment processes.”
What approach is right for me?
Your approach to penetration testing and the types of penetration testing activities that should be performed depends on your individual organisation and your perceived risks.
If you take on the job yourself, there are plenty of free tools out there, along with a number of expensive commercial tools.
But unless you know what you are doing, are trained in using these tools, and understand the techniques used by malicious actors, it may end up costing you more than it needs, generate poor results, and give you a false sense of security if you haven’t identified every vulnerability.
As Morrison says, not all tools are created equal. “While you could invest in testing tools that appear to fit your needs, without the skillsets to use these tools effectively, you are really only providing yourself with a very poor vulnerability assessment.
Penetration tests go far beyond simple tools and vulnerability identification, delving into exploitation, chaining of what appear to be low risk vulnerabilities to further compromise systems, and pivoting.
A highly skilled penetration tester will also be able to provide a comprehensive report, one that tangibly explains the real risk of each vulnerability, how to effectively remediate these vulnerabilities, and provide root cause analysis on why the vulnerability was there in the first place and how to fix this across the enterprise.”
Manual testing is required along with automated testing
When conducting a penetration test, the big variable is the human factor. Malicious actors are intelligent, creative, highly-skilled and may appear unpredictable to outsiders.
They are experts at developing creative scenarios to bypass security controls. By thinking the same way, using similar tactics and possessing the same skillsets, a highly trained penetration tester can find the same vulnerabilities. This is the whole premise of penetration testing: find the vulnerabilities and weaknesses and fix them, before a malicious actor finds and exploits them.
For this reason, automated scanning tools alone cannot be effective as they do not think like, nor emulate the motivated and skilled human actor.
“Taking one scenario as an example, the non-linear steps taken to bypass an unknown set of controls and steal an administrator’s password is not easily captured in an automated test.
In short, never accept an automated test as a full penetration test,” says Morrison. “Be wary of that too good to be true pen test quote. In all likelihood it is an automated vulnerability scan or uses a less skilled tester that relies heavily on off the shelf tools.”
Your Penetration testing strategy should include social engineering
A complete penetration testing strategy does more than just address technological gaps. It also addresses the vulnerabilities within your people assets; human controls that can be bypassed through various forms of social engineering.
As Morrison explains: “Social engineers work by taking advantage of our human need to trust and be helpful to those around us, especially when we are dealing with customers or providing support services.
No one wants to say ‘no’ or be difficult. It just isn’t good business. By leveraging this, social engineers have the ability to convince people to perform actions on their behalf, such as provide personal information on another person or even authentication credentials.
Social engineering is a very effective way for a malicious actor to enter your organisation, digitally or physically, easily bypassing those expensive controls you have put in place. They are experts in exploiting a person’s naivety or lack of knowledge. Email phishing alone is a continued attack vector, and this is due to its ongoing effectiveness.”
If you are planning a penetration test, be sure to consider phishing and social engineering to assess how well your staff respond to these types of attacks. Understanding your current level of maturity in this area will help target security awareness campaigns to remediate issues within your human controls.
Who should do my penetration testing?
A highly skilled and experienced security specialist is always your best bet when performing penetration tests, reducing your risk and addressing compliance requirements.
“While leveraging external specialists requires investment, in the long run, it provides your organisation with the best outcomes and return on that investment,” Morrison says. “You gain peace of mind knowing that your security is in the right hands.”
Pen Testing may not be optional for your organisation
The final consideration for any organisation is understanding whether you are required to conduct penetration testing as part of regulatory, legislative or contractual compliance obligations, and how frequently these need to be performed.
For example, if you process, transmit or store cardholder data, PCI DSS (Payment Card Industry Data Security Standard) has specific requirements around penetration testing.
Failing to maintain compliance with the required regulations can result in loss of trading licenses and serious fines.
What to do next?
If you have any questions, or to enquire about how Loop Secure can help your organisation identify and manage risk through penetration testing services, contact us. We are here to help.
Read our Technical Executive's Guide to Penetration Testing for more information:
