The New Rules of Penetration Testing
In the past, penetration testing was a fancy name for breaking through a network firewall. However, as technology advances and breaches become even more dangerous – costing an average of £2.53 million, according to research sponsored by IBM – security executives need to revisit pen testing to make sure it is an ongoing practice in their defense arsenals. By far, organizations who regularly see what damage skilled attackers can do once inside their networks, make much smarter decisions about what to do to protect their infrastructures.
Know why and when to test
Pen testers across Europe have uncovered important vulnerabilities in recent months – including the recent example of the Uber system in Portugal. Pen testing is an essential component of a complete risk assessment strategy. If organisations don’t know the level of access hackers can gain within their systems, how can they help prevent attacks? By consistently conducting pen testing, you can identify vulnerabilities, prioritize weaknesses, remain compliant, and avoid losses due to customer dissatisfaction, loss of reputation, legal activities, lowered employee productivity, and reduced revenue. Given that hackers often are using the most advanced technology, a “one and done” approach will not work with pen testing. For the best protection against hacks, rely on pen testing regularly and also when:
- Your organisation adds network infrastructure or applications
- Infrastructure or applications undergo significant upgrades or modifications
- New office locations open
- Your organisation applies security patches
- End user policies change
Have a plan
To gain knowledge that will give way to security improvements, pen testers must go as far as they can into the vectors they’re testing. They need to test across systems, devices, and applications to reveal how chains of vulnerabilities give access to the organisation’s critical systems and data. Following a proven, consistent process will lead to the best results.
- Plan and prepare - Before testing, make sure everyone agrees on clear objectives for conducting a test. Also decide how results will be analysed, and identify the systems, operations and staff that will be involved.
- Conduct discovery - Gather as much information as possible about your target. This will be used when penetrating it. Network discovery attempts to discover additional systems, services and devices. Host discovery determines open ports on those devices. Service interrogation finds actual services running on the ports. With the information gained from discovery in mind, prioritize which vulnerabilities to test first.
- Attempt penetration - Try to penetrate vulnerable targets, then look for subsequent exploits that can be initiated from the successful attempts. Hackers often do this through higher levels of security clearance and information from privilege escalation.
- Analyse and report - Highlight the most high-risk targets first, so the organisation acts on the highest priorities and may choose to accept risk for the lower ones. The report should contain:
- A summary of successful penetration scenarios
- Information gathered during testing
- A description of all vulnerabilities
- Suggestions and techniques to resolve vulnerabilities
- Clean up - If not conducted properly, pen testing can result in disarray in your organisations’ systems. To avoid this, keep a detailed list of actions performed during the test, so restoring compromised hosts to their original states is easy. Once they’ve been restored, test to ensure they’re properly functioning to avoid a negative impact on operations.
- Be prompt with the patch - Before testing, make sure everyone agrees on clear objectives for conducting a test. Also decide how results will be analysed, and identify the systems, operations and staff that will be involved. Lost business makes the most significant financial impact on organisations that suffer a data breach. But many other issues arise when a company’s security controls are compromised. To combat them, determine how effective your existing controls are against skilled hackers. Pen test. Are you using these rules? If not, what are you doing to keep your business safe?