Which type of penetration test is right for your organisation?
As we close out a challenging 2020, a number of our customers are planning their 2021 cybersecurity strategy, inclusive of penetration testing schedules.
Penetration tests (commonly known as ‘pen tests’) are a highly technical assessment of your cybersecurity environment at a particular time. They test real-time intrusion detection and response systems, while identifying vulnerabilities across the entire IT ecosystem. Pen tests generally simulate real-world attacks and are conducted by ethical hackers in a controlled setting. Pen testing experts, like the team you’ll find at Loop Secure, will test vulnerabilities via a number of ways including unpatched software, coding errors, weak authentication systems or cracking other networks interrelated with IT such as operational networks.
With a number of penetration tests available, we’re often asked by customers which one is right for their business?
A penetration test should be a component of your cybersecurity strategy and deeply weaved in with other activities across the cybersecurity scope; including governance, risk, continual monitoring and incident response.
Firstly, to identify which type of penetration test is suitable for your business, you need to align the test objectives with your cybersecurity strategy and resources. This will an include analysis of potential breach sites or vulnerable systems.
Offensive security services including penetration testing can vary far and wide. Often IT managers and business managers are uncertain about which types of cybersecurity offensive measures they will require in their organisation. This is also relevant for Penetration Testing which can come in a variety of methods. For example:
- Black Box Testing tests the internal structure, design, architecture and implementation of the targets of evaluation are not known to the tester. This type of testing is representative of an attacker learning about the targets they are attempting to compromise as they go.
- White Box tests assume intimate knowledge of the internal structure, design, architecture and implementation of the targets of evaluation. In contrast to black box testing, the tester already has all the information required to start enumerating and testing in-scope targets. More time may therefore be invested in attempting to discover vulnerabilities and achieve the desired engagement goals.
- Grey Box testing combines both white and black box testing methods. The tester begins the engagement with knowledge of all targets of evaluation. This limits the time and effort required for the initial asset discovery phase, placing the bulk of the effort into vulnerability discovery, whilst still ensuring that the test authentically represents a real-life attack.
Selecting the right approach to testing is essential for success relevant to the objectives. A white box test may uncover where a developer accidentally left credentials in the software code, but be wholly inadequate to uncover vulnerabilities in open ports or third-party integrations, for example. A comprehensive outlay of different types of tests across the IT ecosystem is recommended.
As an example of a comprehensive approach, the Loop Secure team offer these types of penetration tests:
As mentioned earlier, pen tests give you a snapshot of your security posture at a certain point in time. Between tests, the landscape can change significantly. New tools and tactics are always in development and cyber vulnerabilities are continually evolving. So how does an organisation stay vigilant on a 24/7 basis?
Penetration Testing is only one component of an effective cybersecurity program. An extended monitoring and continual cybersecurity testing program is often recommended for clients to ensure that the right parts of their organisation are being tested, using the right techniques and on a frequency that reduces organisational risk. Loop’s Continual Assurance Service is an example of this, and locks in a set schedule every year of testing regime and remediations. These timelines are critical to ensure reporting and rectification of issues irrespective of workload, and before compliance deadlines. Some of the key deliverables include monthly testing of systems and infrastructure, aligned with a program of patching, upgrades, configuration changes and architectural changes that are happening within the business.
Loop’s Continual Assurance Service also includes scheduled simulated phishing campaigns, social engineering campaigns, adversary simulations, security awareness training for Boards and ongoing vulnerability assessments. This then results in a comprehensive offensive security program that fills in the blank spots that irregular penetration testing leaves.
If you'd like to learn more about Loop Secure's Continual Assurance Program contact our team
To learn more about pen testing and what type of tests are best for you, download our Technical Executive's Guide to Penetration Testing