It’s hard to pick up a newspaper (for those of you who might still do that) or read a news site without seeing another company that’s had its data compromised. Yahoo, LinkedIn, Tumblr and Daily Motion are just a few larger companies that had their data stolen last year, bringing lawsuits, bad publicity, and derision. However, size, status, and net worth don’t determine a potential target. Hackers have shown us that no organization is safe from attacks… including yours. That’s why penetration testing is critical to the security of your company.
— CCB Technology (@ccbtechnology) July 10, 2017
What is a Penetration (Pen) Test?
Many successful hacks are done by exploiting vulnerabilities associated with externally visible servers or devices such as DNS, web, and email servers and firewalls. Penetration testing is a manual, authorized, simulated attack on a network that looks for security weaknesses within a system’s features and data. You may also hear penetration testing referred to as “ethical hacking”, “white hat” attacks or a “lights on” approach, so named because everyone is aware of, and can see, the tests being carried out.
Here are four reasons why penetration testing should be seriously considered for your organization:
1. Uncover Hidden Vulnerabilities Before Hackers Do
Many external breaches can be prevented by performing a penetration test. Pen testing shows you exactly where your vulnerabilities are or where policies can be compromised and addresses those weaknesses – proactively – before hackers find them. Bottom line: you can’t fix it if you don’t know where it’s broken!
Pen testing goes beyond finding security gaps and actively tries to exploit those vulnerabilities to see if a hacker could actually access data. It’s like an MRI for your infrastructure in that it looks for problems that may not have developed symptoms yet. It’s a true test of the effectiveness of your existing protections and it clearly reveals where your organization is leaving doors open for cybercriminals to enter.
2. Maintain PCI, HIPAA and CJIS Compliance Requirements
Although a penetration test is a wise decision for all types of companies, organizations that are required to be PCI, HIPAA, or CJIS compliant must perform annual pen tests and after any significant changes are made to network infrastructures. This may require both network and application layers, which could involve the addition of vulnerability testing.
Penetration testing is not a full compliance audit or security assessment since it does not address the dangers from within the organization, only potential threats coming from the outside. Vulnerability testing is an assessment of internal risks, that when combined with pen testing, can give you a 360-degree view of potential risk factors. Under compliance guidelines, both can be mandatory. Additionally, once vulnerabilities are addressed, retesting is required.
If you have enough credit card transaction volume to be bound by PCI or if you are storing Protected Health Information (PHI), you MUST perform penetration testing.
3. Evaluate Monitoring and Response Effectiveness
Though most companies will state that they place a high priority on security, few actually test their ability to detect, contain, and recover from a security breach. An active pen test provides the opportunity to evaluate how IT staff responds in a real life security incident. Here are areas to evaluate:
- Were IT security personnel able to detect the malicious activity?
- Did they effectively take the necessary steps to neutralize and control the threat?
- Were established communication protocols utilized to alert the company that an attack occurred?
- Did employees immediately respond and comply with alerts being sent out from the IT staff?
Your IT security staff may pass without issue, but if they aren’t able to identify compromising activity, the pen test reporting can be an invaluable tool to help them improve their incident response skills and reinforce security practices with the entire company.
4. Gain Management Support for Change
What happens when IT staff are aware of serious security weaknesses but are unable to get buy-in from management to make necessary changes? Bringing in an outside company with a reputation for security expertise could provide the analysis necessary to validate the need and convince management that additional investments are required.
The internal IT team may know that a vulnerability exists, but because they aren’t able to demonstrate the weakness effectively, management may not realize the potential risks of not adding the resources. Since an outside tester has no stake in the outcome or inside knowledge of a network’s details, management is more likely to respect their opinion after witnessing the vulnerability through testing. On the other side, pen testing can also be a confidence booster to management that their internal IT team is doing things right and reinforces their belief in their own IT team’s capability and opinions.
Who Should Do Your Penetration Test?
Do-it-yourself pen testing is not an effective alternative to hiring a professional testing company. It does not offer an unbiased perspective or the fresh look that may be needed to dig deep and find overlooked vulnerabilities. Performing pen tests require creativity, skill, experience, and training to think like a cybercriminal.
Professional pen testers are trained to use techniques that hackers use to safely exploit your infrastructure and uncover vulnerabilities. You want an expert that can think on the same level as criminals so that they know what to look for and how to solve the issues. That brings us to the primary factor you should look for in choosing a pen tester: reputation.
CCB Technology collaborates with several companies that hold Certified Ethical Hacker (CEH) certification to perform penetration testing for our clients. This means they have a minimum of 2 years of security experience and have passed a rigorous examination process. We have vetted them for their vast experience and reputation so that you can have confidence trusting them with your business, data and networks.
Here’s a simple breakdown of how the pen test process works:
- A pre-testing consultation is held to discuss the process and needed preparations.
- The Statement of Work (SOW) is defined and timelines for completion are established.
- The penetration test is performed.
- CCB meets with you to present the Network Penetration Test Assessment Report and discuss next steps for addressing any uncovered vulnerabilities.
Here’s a sample of the information provided on the pen test assessment CCB provides its clients:
The testing uncovered several potential vulnerabilities, all of these vulnerabilities should be considered legacy and would be remediated by current versions of device software and patches. These vulnerabilities are illustrated in Figure 1. The vulnerabilities were classified by the following severity levels
- Critical – (Qty. 0) – easy for attackers to exploit and require immediate attention
- Severe – (Qty. 46) – harder to exploit and may not provide the same access but still require review
- Moderate – (Qty. 29) – provide information that can assist hackers in mounting subsequent attacks
There were 75 vulnerabilities found during this scan. No critical vulnerabilities were found. Critical vulnerabilities require immediate attention. They are relatively easy for attackers to exploit and may provide them with full control of the affected systems. 46 vulnerabilities were severe. Severe vulnerabilities are often harder to exploit and may not provide the same access to affected systems. There were 29 moderate vulnerabilities discovered. These often provide information to attackers that may assist them in mounting subsequent attacks on your network. These should also be fixed in a timely manner, but are not as urgent as the other vulnerabilities.
No critical vulnerabilities were found on any of the systems. 5 systems were found to have severe vulnerabilities. Moderate vulnerabilities were found on 5 systems. No vulnerabilities were found on the remaining 3 systems.
The report then describes in more detail the types of attacks that were attempted and the recommended course of action to remediate the threats.
Are There Limitations to Penetration Testing?
Yes. As much as the test tries to think and act like a cybercriminal, testers are limited by the tools, methods and time allotments available at the time of testing. Hackers have unlimited time and no limitations on methods, whereas testers have to work within the constraints of the agreement, budget and timeframe approved by the client. It’s impossible to compete with hackers who work with limitless resources.
So… Will you be Hacked Next Week?
In the war on cybercrime, complacency can be your biggest enemy. Cybercriminals have all the time in the world to devote to planning their next attack and they only need one that works to hold your data hostage. Companies need to be prepared for any attack at any time by insuring that their protection is 100% effective.
Pen testing is not a standalone defense, but a critical part of a holistic security plan that should include documented security protocols and response plans, employee security training, network monitoring, and vulnerability testing. Comprehensive security strategies must be backed up with continuous testing to ensure that networks are adequately protected against an increasingly complex cybercrime landscape.
Need help with your security strategy?
Let our team of experts help you detect any vulnerabilities in your organization and safeguard your company against the next hack.