The cybersecurity threat against business continues to grow, yet it seems that many organisations are still failing to take the necessary security action. The need to test your systems is no longer just a nice to have, it’s a must, and with GDPR coming into force it’s now essential that companies test their security to the full.
Testing can seem like a daunting prospect and many organisations don’t know where to start, or what to look for. In this page we will:
No company is ever fully secure, but by putting robust security measures in place you deter all but the most skilled and determined attackers. However, even with these measures in place it’s important that you test your security on a regular basis.
In this section we outline just some of the reasons why testing is so important and why companies need to be taking the issue seriously.
For some businesses their website is key; if that goes down then it’s going to mean lost revenue. For others it’s their customer list; without that they have no business. For many it’s all about their intellectual property. Whatever industry you’re in, you’re bound to have some critical business assets.
These critical assets need protecting at all costs and businesses should be taking the necessary action to ensure that these don’t fall into the wrong hands. Testing is the only way to ensure that the measures you have put in place are effective and that your key assets are protected from the outside world.
Threats are evolving at an ever-increasing rate and even if you are 100% safe now, it doesn’t mean you will be tomorrow. Ransomware peaked at 40,000 attacks a day in 2016 with 400,000 variants a day, and things are evolving quicker all time. New exploits are emerging on a regular basis and attackers are learning from successful attacks, building upon them and launching even more powerful variations. The time to react is getting shorter.
Testing on a regular basis is the best way to ensure you are protected against these attack techniques, and companies need to employ a robust testing schedule to ensure they stay on top.
Mike Tyson once said that “everyone has a plan until they get punched in the mouth” and the same can be said about cybersecurity. You can have all the processes, plans and techniques in place to deal with a potential attack, but what do you do when it really happens? How does your organisation react?
Testing can help you put this theory to the test; for example, a red team exercise can simulate a real world attack. From this you’ll get a picture of any vulnerabilities your company may have, but you’ll also see if the plans you have put in place are truly effective.
This type of test will also allow you to evaluate your response to varying levels of attack sophistication. Do you detect and respond to simple attacks but fail to pick up a more advanced breach? External testing is your opportunity to test yourself against the best.
For many organisations there are a number of barriers which are holding them back from testing their systems to the full. These barriers need to be overcome and it’s essential that companies realise the risks of security inaction. But what are some of the most common barriers to testing and how do you start to overcome them?
Keeping systems up and running is the key priority for most organisations and anything that could jeopardise your operations will obviously be avoided. This is one of the main reasons why companies don’t test their systems.
They fear a test could damage operations, take them offline or even expose their data to the world. But this isn’t the case, and any good penetration testing company will be able to utilise a variety of different methods to test without breakage or downtime.
This could be through mirrored or duplicated systems, by undertaking a passive test, by testing during planned downtime or testing before going live. Whatever your situation, whatever your concern, there is a test for you.
Testing often means giving external people access to your all-important data and confidential information about the inner workings of your company. It’s a scary prospect and one that can often mean you avoid testing altogether.
Overcoming this is all about creating strong working relationships, and a good testing provider should use the initial scoping stages to walk you through the measures they will be putting in place. This will ensure your data is secure and that the adequate levels of confidentiality will be followed at all times.
The key to any successful pentest is the security improvements you make as a result of the findings. But what if you don’t have the expertise in house to interpret results, or the knowledge to undertake remediation efforts? Nobody wants to be handed a test report and then not know where to start.
This lack of after-test support can prove a stumbling block when considering a test in the first place, but by engaging with a company at the start, and by asking the right questions, you can understand the level of support a testing company can offer you.
Having an expert review your work is always daunting and no matter what job you’re in the worry is that any assessment or test is going to make you look foolish in front of your peers, as well as your boss. Why would anyone want to willingly expose themselves to this?
This is one of the reasons many companies are reluctant to undertake vital penetration tests and in-house security professionals can often feel a sense of objection towards penetration testers. Thinking they are going to belittle their hard work and expose their failings.
The reality is that penetration tests aren’t designed to belittle, or to pick holes in security efforts. They are here to support your efforts and by working closely with in-house security teams penetration testing should make you look like a hero in the eyes of your boss, showing that you have uncovered the vulnerabilities, taken the steps to correct and therefore improved the security of your company.
Cybersecurity responsibility should ultimately sit at board level and there is a need to ensure that risks are managed, policies are put in place, risk profiles have been conducted and the required funds released to improve the security of the organisation as a whole.
Increasingly high profile attacks have moved this agenda up the priority list and according to a report by HM Government ‘cyber risk is seen as a top, or group-level risk amongst 54% of FTSE 350 Boards’.
Whilst this is a good start there are still major concerns. Reports show that despite the risk only 5% of FTSE 100 companies have Board members with specialist technology or cybersecurity experience, 10% of Boards do not have a plan in place to deal with a cyber incident and 68% of companies say that their Board has received “no training in order to deal with a cyber incident within their organisation”.
Security can no longer be seen as a tick box exercise, one where an annual pentest is believed to be good enough. However, gaining board level buy in can be difficult when this is the case, especially when there’s a ‘if it ain't broke don’t fix it’ mindset.
You certainly don’t want your first board-level cybersecurity conversation to be after a breach and educating upper management on the risks the company face, the steps and processes that need to be undertaken, and highlighting the potential consequences of inaction is key to achieving Board level support. A cybersecurity firm can also offer a number of pretest solutions to uncover your current risks and provide you with the evidence you need to get board level commitment.
So, you recognise the importance of testing, have overcome the barriers and are now ready to start thinking about conducting a test on some aspect of your business. But what should you be looking for in a penetration test company and what are the questions you need to be asking to ensure you get the best test for you?
Trust is the biggest factor when it comes to choosing a penetration testing company. After all, you are giving them access to sensitive business information and potentially access to your live critical systems. That’s why you’ll want to do your research beforehand.
How long has the company been around? Do they have a proven track record? How many tests have they performed and how many clients do they have? What industry accreditations do they hold? Have they won any industry awards or given talks at any prestigious events.
Experience matters and the answers to these questions can show you if the company can be trusted with your all-important business information.
Your information is vital and any test needs to ensure that it remains secure throughout the whole process. What measures does the company have in place to ensure the security of your information? What security checks have testers been through? These are just some the questions you may wish to ask beforehand.
Confidentiality may also be important to your organisation, and you may want to know if the company can offer you a confidentiality agreement to ensure the results of any test are not made publicly available.
Testing is about more than just the test, there’s a rigorous process that goes into every penetration test to ensure you get the right support and that any work undertaken is tailored to your business goals and objectives. This should start with initial scoping and understanding your requirements, right through to post-test support and interpretation of results.
Before you agree to any test it’s worth asking your proposed supplier to go through their testing methodology in full, so you can see the stages they go through, understand the support you will receive and then determine whether this methodology is right for your needs.
A penetration test is only as good as the person, or people, conducting it. So, before you commit, ask to see the credentials or CV of the penetration testers who will be working on your test. Are they in-house or are they subcontractors? If possible can you arrange a telephone call with them, or even meet in person before agreeing to the test?
Doing this will help you gauge the tester’s expertise, and also build the trust between you and the people who will have access to your organisational data.
Penetration tests are designed to discover key vulnerabilities and to provide you with practical advice in terms of remediation. The final report is the key document for this and should outline everything in a clear and concise manner.
With that in mind, you should ask to see an example report. This way you can see for yourself the layout of the document, how the key findings are reported and see how improvements recommendations are outlined.
It’s also worthwhile asking about the post-test support you may receive, what quality assurance process reports go through and the how the company would go about retesting after remiadiations have been implemented.
Everyone has different support needs and it’s important to understand the level you require before commiting to a penetration test provider. Do you need communication on a regular basis and after test advice, or do you just need a report at the end and you’ll do the rest?
Whatever level of support you need it’s important to align with a penetration test company that can offer you this support, ensuring you get the best possible test and that you can take practical actions to improve your security following the test recommendations.
Testing isn’t a one size fits all process and there are a number of tests available to suit your needs and business objectives. Your penetration test provider should outline the test options available to you and work with you to find the most appropriate.
In this section we outline the testing options available and discuss the pros and cons of each.
Conducting a vulnerability scan is the first step to understanding your security situation. It can provide you with a valuable insight into your company's weaknesses and assess the overall risks you face.
There are a variety of tools available for automated vulnerability scanning — ranging from the simplest port scanners through network vulnerability scanners and then onto application security scanners and database security scanners. A great advantage of automated scanners is that they can be quickly deployed and provide metrics for progress in resolving vulnerabilities. The earlier an issue is addressed, the easier and cheaper it is to fix.
There are limitations however. Basic scanning tools will only protect you from the simplest of attacks, they can only scan against known vulnerabilities and then there’s the issue of false positives. This is where a valid application behaviour can be reported as a vulnerability.
Automated scanners also have issues when new web technologies are introduced. There is typically a lag before the scanner is updated to handle new developments.
A penetration test, or pen test as it’s known, is a practical assessment used to demonstrate how potential attackers can exploit weaknesses in your IT systems. It’s capable of identifying issues that would not be found by an automated solution, eliminates false positives by utilising advanced manual techniques and requires companies to undertake a more extensive and rigorous process than simple scanning.
In a pen test, specialist consultants replicate the techniques that external malicious parties would use to ‘hack’ a site, application or a network. The only difference being that the security consultant is time-limited in their approach, testers are restricted by the scope set out before any test is undertaken and in-house security teams are usually made aware that someone will be probing their systems.
In terms of problems, pentesting can identify several types of input validation issue (e.g. code injection, SQL injection, and XSS injection), file upload related issues (such as the ability to upload executable files), horizontal privilege vulnerabilities (where one user can access another’s data using techniques such as 'parameter tampering') and vertical privilege issues (e.g. where a normal user can access administrative functionality through, for instance, a 'forced browsing' vulnerability).
Protecting systems and data is key during the testing process and pentest companies will work with organisations from the beginning of scoping to ensure the most appropriate testing methods are utilised and that all necessary measures are put in place so not to cause any unwarranted downtime or data breach.
Red teaming is the most advanced test that a company can employ and is designed to simulate real-world threat actors utilising weaknesses in any aspect of your organisation – including your networks, applications, people, and the physical security of your facilities.
Unlike penetration testing, red teaming is goal-based and testers have a much broader scope in which to attempt to gain access to resources critical to your business. This provides companies with an invaluable opportunity to test their own ability to detect, protect and respond efficiently to an attack.
The only consideration is that of scope, and companies can absolutely adjust the scope of the red teaming so that they're comfortable with the techniques deployed and levels of access granted, but the more open the scope, the more valuable info they'll get, and therefore the more secure they'll be.
The most effective way to provide defence in depth is to utilise all three testing methods. Red teaming can provide you with an overall picture and allow you to ensure your critical resources are secure. Penetration testing can help you uncover vulnerabilities within specific areas, or allow you to test new applications, and vulnerability scans can provide a good overview of security on your less critical applications.
At Secarma our experienced security consultants are here to support you throughout the testing process, from initial consultation and scoping right through to interpretation of the results and post test support. Whatever your testing requirements, we’re here to help.
To find out more about our testing services visit our website, or alternatively fill out the form below to receive a callback from one of our experienced account managers.