What Is Penetration Testing and How Can It Help Your Business?

In the space of a few years, penetration testing (or ‘ethical hacking’ as it used to be called) has gone from something only large organisations did with any regularity to a type of assessment now recommended even for the smallest SMEs. For some, this change is explained by increased compliance, but the biggest factor has been the dramatic growth in disruptive cyberattacks, which continue to plague organisations despite record levels of cybersecurity investment.

It’s a seeming paradox:  Gartner predicts that spending on traditional information security systems will reach $150 billion in 2021, a 12.4% rise compared to last year. Spending has been rising like this for at least 15 years, and yet the problem it is supposed to deter keeps getting worse. How can this be?

One possibility is that while cybersecurity tech fixes known problems, it leaves unaddressed the invisible ones nobody anticipated. These weaknesses only appear under real-world conditions in which cybercriminals are expert at spotting before defenders do. Infosec offers numerous examples of this phenomenon, including unpatched software vulnerabilities (which have also risen dramatically in number), accidental misconfigurations, weak or aging security policies, poorly secured accounts, undocumented network access, and lax employee behaviour.

There is copious evidence that misconfiguration, oversights, and naïve security behaviour are the root cause of many cyberattacks rather than any super-sophistication on the part of the attackers. For example, ransomware attacks often rely on quite basic failures in security which could have been prevented such as the leaked (and possibly reused) passwords that reportedly aided the recent disruptive attack on Colonial Pipeline in the US.

How do penetration tests help?

Penetration tests attempt to uncover these problems by simulating how a real attacker would search for and exploit them, often chaining smaller weaknesses together to widen a compromise. Typically, each test is complemented by an automated vulnerability scan to detect the most common software flaws, misconfigurations, and oversights. At the end of the process, the client gets a report detailing the weaknesses, with an analysis and ranking of the risk each poses to the organisation, and a concluding section suggesting fixes.

Types of penetration test

Penetration tests are carried out to varying degrees of depth, depending on the objective or purpose of the test. External tests look for weaknesses from the public point of view outside the firewall, while internal testing assumes an attacker has already gained a foothold inside the network. Once optional, the latter is now considered essential because it models how an increasing number of attacks unfold, either because of a malicious insider or because attackers have compromised an employee or privileged account through phishing or weak password security. It’s also useful for analysing how easy it is for an attacker to move sideways from a compromised system, spreading the attack to other resources.

Black box tests and red teaming

More advanced penetration tests include the black box test where the testers probe the network with no prior knowledge of its defences in the same way an attacker might.  Another increasingly popular option for larger organisations is red teaming, which involves an extended test of every aspect of an organisation, including its physical security, employee behaviour, and inhouse processes over an extended period running to weeks or months.

How penetration tests happen

External tests start with information gathering related to the agreed objective and rules of engagement (RoEs), followed by reconnaissance of the organisation’s public-facing systems. They then move to scanning for common flaws and weaknesses using a mixture of open-source tools (Nmap, Nessus, Cobalt Strike, Metasploit), and their own customer scripts and manual techniques. If a weakness is found, an attempt is made to exploit this without being detected, followed by an attempt to achieve lateral movement to new servers elsewhere in the organisation’s network.  Each step is documented for the final pen test report which explains fixes and mitigations in order of priority.

Could an SME do its own penetration test?

In theory, organisations could do this themselves but employing an independent tester is seen as best practice because it dodges issues such as conflicts of interest and internal politics. If bad news needs to be delivered, a dispassionate external audit is always the best way to do it. Much of the testing also requires specialised skills and experience.

Is penetration testing risky or illegal?

The objective of a test and its parameters are always agreed in advance with the client in detail, including being given consent to proceed with certain actions that might otherwise be against UK law.  Testers are looking for weaknesses and won’t exploit them in a damaging way or compromise data during that process. This is governed by rules of engagement which document how testers will secure any sensitive data they encounter during a test and the procedure for communicating with in-house IT teams.

Do penetration tests have limitations?

One issue is that organisations should ideally conduct at least two penetration tests, the first to spot weaknesses and a second one sometime later to assess whether they’ve been fixed. Networks also change over time, which means that even that assessment will quickly become out of date. All of this implies at least annual and probably bi-annual checks, which add to the upfront cost.

Another issue is that the sort of penetration tests offered to SMEs are unlikely to find every weakness. Some of this is down to the scope of a test, which can be quite basic, but also because other areas of weakness such as staff resistance to phishing attacks are not part of this kind of assessment. How far should an SME go with penetration testing? Arguably, getting to grips with that issue requires a thorough risk assessment first to relate the costs of an assessment against the cost of an attack.

Are penetration tests really necessary?

To answer this question, an organisation needs to assess the effects of an attack by something like ransomware which could disable their operations for days, weeks or worse. Cyber-insurance is unlikely to cover all these costs and there is strong evidence that attacked organisations rarely recover all of their data even if they do pay. That could have long-term implications in terms of loss of reputation and compliance. A penetration test won’t remove the risk of a cyberattack, but it will reduce it significantly.

Conclusion

While penetration testing can be an incredibly valuable tool for organisations, it is by no means guaranteed to protect against all cyber risks. A sensible strategy therefore would be a combination of measures which combine to provide a compounding effect that protects the organisation within the budget and resource constraints that most leaders are required to consider.

A good starting point would be ensuring staff are aware of the risks, how to spot them and how to avoid them. Our cyber security e-learning course is a cost-effective way to ensure your staff understand the key principles. Meanwhile, additional comfort can be provided by the use of third-party certification that assesses your organisation’s systems and processes – these range from Cyber Essentials and Cyber Essentials Plus to ISO 27001. If you’d like to discuss any of these options, please contact us today or request a quote here.