A creative title for an article we know. We at Cybra Security remember a time when Penetration Testing, or Pentesting as we call it, was sexy. Now it seems that Pentesting is just part and parcel with most mature security programs these days. The sexiness has been clouded (pardon the pun). But here at Cybra Security, Pentesting is still very much sexy and forms a core part of our specialist services portfolio. Thus, we found it appropriate to put pen to paper and write an article on the current state of Penetration Testing, how it can benefit new customers that might not be aware of what it is, and some commentary around Pentesting in the modernsociety we have found ourselves living in.
What is Penetration Testing?
Penetration Testing, colloquially termed as Pentesting or ethical hacking, is an authorised simulated cyber-attack designed to identify and evaluate the risks and vulnerabilities in an organisation’s IT Systems. Organisations perform this test to detect what type of cyber-attacks they are likely going to be faced with, estimate the threat of unauthorised parties gaining access to data, and understand the risk associated with a compromise. This gives organisations the tools necessary to perform an effective cost-benefit analysis of what security controls should be invested in to prevent such a breach from occurring.
Or to put it simply, Penetration Testing is defined as “a way for gaining assurance in the security of an IT system by attempting to penetrate some or all of that system’s security, using the same tools, methods and techniques as an adversary.”
On top of that, the statistics from market and industry surveys reveal that the global penetration testing market will increase at a Compound Annual Growth Rate (CAGR) of 13.8%, from USD 1.6 billion in 2021 to USD 3.0 billion in 2026. So, you can see the popularity and demand for Penetration Testing is growing in alignment with the uptick in global cyber-attacks.
Some Obvious Benefits
Compliance
Yes, it is true; Penetration Testing can be used as a tick mark on a multitude of compliance checkboxes in multiple industry standards. Things like ISO 27001 and PCI DSS require annual Pentesting. Some organisations conduct Pentesting activities to meet this compliance, and there is nothing wrong with that because, at the end of the day, Penetration Testing is essential to ensuring the security posture of any business.
Detect Cyber Risks and Vulnerabilities
When an organisation has a proactive approach to security (the best type of client), they invest some of their security budget to perform Pentesting of their environment, networks and systems and use the results of the test to prioritise their security spending going forward. It is a highly effective method of staying on top of threats and getting a real-world, independent, non-biased view of where your organisation’s risks are.
Target The Whole Business or Focus In On Key Areas?
Getting a Pentest may be confusing at first. What does it cover? Well, that is entirely up to you! You can get your entire IT environment, including networks, cloud, servers, workstations, applications – or – you can narrow down the Pentest on particular key areas of your business. Here are some popular scenarios often chosen by Cybra Security customers:
External Network Penetration Test
Tests the security of your internet-facing infrastructure, including firewalls, web servers, DNS, leaked credentials and more. This is a good test to ensure your internet perimeter is nice and secure.
Internal Network Penetration Test
Traditionally, this is one of the most beneficial types of security test. If an attacker was to sneak onto your internal network (through a misconfigured firewall, leaked VPN credentials or a phishing email) then what defences do you have to contain the attacker and protect your most valuable information assets and systems? This test simulates an attacker on your network and will identify your vulnerable areas, such as lack of patch management, weak password policies, access control issues. It provides great coverage for any business, big or small.
Web Application Penetration Test
If you are an organisation developing your own web application for your customers, such as retail or banking, or if you are an organisation that is acquiring a new application for use internally, then this test is for you. Before releasing your application to the public, or before turning it on inside your network, you want a Pentest of it to ensure it is not vulnerable to web-based attacks. Web-based attacks are very prevalent in this day and age and websites and applications are a major cause of data breaches and credential theft.
Mobile Application Penetration Test
If you develop mobile applications or have acquired one for use within your organisation, a mobile app Pentest is essential in ensuring the application has been developed using secure coding practices. Mobile apps face the same risks and threats as websites and applications, with a larger attack surface due to local configurations, such as where the device stores your banking PIN.
Some Not So Obvious Benefits
Upskilling IT Team and Test Incident Response
Hopefully, your organisation has never faced a serious cyber incident or breach before. Most organisations have Incident Response Plans and procedures to follow in order to detect and triage incidents. But just like backups, these need to be tested to ensure they actually work. This is where Penetration Testing comes into play, providing both immediate and long-term value by automatically identifying essential maintenance priorities and gives the team real-world experience in what an ongoing cyber-attack looks like, feels like, and the effects that the business might have if successful. This equips your team with a higher degree of confidence and the ability to defend your organisation in the future.
When a Pentest is underway, your IT Team can monitor and watch various events and logs from your systems, and see what it looks like when an attacker is infiltrating your network. You can put a plan in place and ask your team for an analysis or debrief of the exercise and learning outcomes. Cybra Security can work alongside your IT Teams during a Pentest if you like, which can look more like a Blue Team or Purple Team exercise.
On the flip side, you may want your IT Team to be unaware a test is being conducted so you can assess your team’s responsiveness and ensure that they are following appropriate processes and procedures. We have conducted tests in the past where we created a Domain Administrator account on a company’s Active Directory server, and nobody noticed. The manager was not impressed, to say the least; however, this is a good learning exercise. The point of testing security is to identify all risks to your business and assets, and a lack of adherence to security policies is definitely one that should be rectified.
Scams and Phishing
While this article is focusing on Penetration Testing, some friendly advice would be to develop remote working policies for staff and give further guidance in how they can keep their own home networks secure, such as secure WiFi, securing personal devices and best practices. Because at the end of the day, if an attacker can compromise a staff member at home, that opens a door into your network.
The Australian Cyber Security Centre (ACSC) received over 1,500 cybercrime reports per month of malicious cyber activity related to the coronavirus pandemic (approximately four per day), with more than 75 per cent of these relating to individual Australians reporting loss of finances or personal information to scams and online fraud during the 2020-2021 period.
How does this affect your organisation? Although these scams and phishing emails are targeting individual users, if a phishing email lures a staff member to click a malicious link or download a malicious document, then the attacker could have access to the staff member’s computer. That computer might be owned by your organisation, or a personal device, but regardless, the attacker is now on the same local network as your staff member, who has a remote connection into your network.
Remote Access
We have also seen an uptick in customers asking for External Penetration Tests, specifically focusing on their Remote Access and VPN solutions. Acting as an attacker would, our consultants get to work using the latest tools and techniques to see if your defences stop bad people from getting in.