As network technologies and application features evolve at an ever-increasing rate, so too have the associated security vulnerabilities. But have our efforts to identify these vulnerabilities kept pace? Has security external and internal penetration testing evolved since its origin in the seventies? How have we changed our security testing approach, tools and methodology to meet the challenges of the changing threat landscape? To answer those questions, we’ll need to understand penetration testing.
What is penetration testing?
Penetration testing is different from vulnerability scanning. A vulnerability scan is used to identify, rank, and report vulnerabilities while a penetration test is used to exploit vulnerabilities or otherwise defeat the security controls and features of a system. Penetration testing is an authorized and proactive effort to assess the security of an IT infrastructure by carefully running tests to exploit vulnerabilities of the system, comprises in an operating system, misconfigurations, service errors, and even unsafe end-user behaviors. These evaluations help confirm the effectiveness of defensive mechanisms and adherence of end-users to security procedures. There are typically two types, External and Internal.
Penetration testing is conducted externally and attempts to exploit critical vulnerabilities that could be exploited by an adversary to remotely compromise client networks disrupting business operations, destroying data, or stealing sensitive information.
An internal penetration test always assumes that you have internal network access. It can provide valuable insight if you are worried that a rogue employee could try to access data that they’re not authorized to view. Internal penetration tests can also tell you how much damage an intruder could do if one of your employees mistakenly opens an attachment on a phishing email, or how far a visitor to your site could get by plugging their laptop into the local network.
Finally it is important to note that Internal Penetration testing is different from Internal Vulnerability Scanning. An Internal Vulnerability Scan, sometimes referred to as a Credentialed Scan, is used to identify, rank, and report vulnerabilities while a penetration test is used to exploit vulnerabilities or otherwise defeat the security controls and features of a system. This will provide additional analysis of business risk and can be used to assist risk mitigation investment decisions. Using both approaches provides a better analysis of business risk and can be used to make better risk mitigation investment decision. Internal Vulnerability Scanning will be covered a future post, so stay tuned!
Who needs Penetration Testing?
The goal of professional or amateur hackers is to steal information from your corporation. They may be after money or simply seek to sabotage your company. If you think about it, one single incident of system downtime can make a huge impact on your company’s reputation. Your business partners or customers may think twice about the security of their relationship with your company.
You may think a Windows® firewall and regularly updating your password is enough to ensure your security. Sadly that is not enough. Highly skilled hackers can get into your system easily and get all necessary information from you without you even knowing it.
Any company, corporation, or organization that relies on IT should have their system security tested regularly and update their security features to prevent the negative effect of system downtime and illegal hacking.
Penetration Testing – The Benefits
There are numerous benefits of employing penetration testing.
1. Detect and arrange security threats
A penetration test (pen test) estimates the ability of an organization to defend its applications, networks, users and endpoints from internal and external attempts to dodge its security controls to achieve privileged or unapproved access to protected assets. Pen test results confirm the threat posed by particular security vulnerabilities or faulty processes, allowing IT management and security experts to arrange remediation efforts. Organizations can more efficiently anticipate emergent security threats and avoid unauthorized access to crucial information and critical systems through executing regular and complete penetration testing.
2. Meet monitoring necessities and evade penalties
IT departments address the overall auditing/compliance facets of procedures such as HIPAA, SARBANES – OXLEY, and GLBA, and report testing necessities recognized in the federal NIST/FISMA and PCI-DSS commands. The complete reports produced by the penetration tests can assist organizations in evading substantial penalties for non-compliance and let them illustrate ongoing due diligence into assessors by maintaining required security controls to auditors.
3. Circumvent the rate of network downtime
Recuperating from a security flaw is expensive. Recuperation may include IT remediation efforts, retention programs, and customer protection, legal activities, reduced revenues, dropped employee output and discouraged trade associates. Penetration testing supports an organization to evade these financial setbacks by proactively detecting and addressing threats before security breaches or attacks take place.
4. Protect customer loyalty and company image
Even a single occurrence of compromised customer data can destroy a company’s brand and negatively impact its bottom line. Penetration testing helps an organization avoid data incidents that may put the company’s reputation and reliability at stake.
5. Service disturbances and Security breaches are expensive
Security faults and any associated disruptions in the performance of applications or services may cause debilitating financial harm, damage an organization’s reputation, grind down customer loyalties, generate negative press, and incur unanticipated fines and penalties. Frequent employment of penetration testing avoids these expenses by the organization.
Penetration testing helps your organization avoid IT infrastructure invasions. It is better for your business to proactively maintain its security than to face extreme losses, both to its brand equity and to its financial stability.
Penetration testing should be carried out whenever there is a change in the network infrastructure by highly experienced experts who will scrutinize internet connected systems for any weakness or disclosure of information which could be used by an attacker to compromise the confidentiality, availability or integrity of your network.
If you would like more information, contact LP3. We will be glad to help you make an informed decision on penetration testing for your IT environment.
Jeff Grim is CTO/CISO of LP3 and provides enterprise cyber security architecture advice to government and commercial clients.