What is Penetration Testing?
Penetration testing — or pen testing — is a cybersecurity measure used to assess a range of digital systems, applications and networks. Imitating the movements of a hacker, a penetration tester will try to work their way around your system’s security. Penetration testing should be conducted in an ethical manner, keeping legitimate business security at the forefront.
Do I Need a Penetration Test?
Any company that uses technology should conduct yearly penetration tests to ensure that their systems aren’t vulnerable to malicious attackers. Depending on the size of your organisation, we suggest that you get tested every year, at a minimum. That being said, if your organisation develops critical software or proprietary technology, we highly recommend you continually conduct penetration test whenever a new update or patch is deployed.
Who is CREST? What Does CREST-Certified Mean?
CREST is the Council for Registered Ethical Security Testers. It is a certification body and a seal of quality that requires companies to partake in meticulous tests to assess their data security, testing method and business processes to achieve. The certification requires that the accredited cybersecurity company meets the fastidious standards of CREST.
Types of Penetration Testing
Internal infrastructure testing involves a team physically visiting your premises, plugging into your network and attempting to access systems they shouldn’t be able to. This replicates what would happen if a malicious party tried to gain access to your systems via an external source. It also demonstrates what would be possible for a rogue employee to achieve. In addition, if an internal employee’s account was compromised — via social engineering, for example — it would show the level of damage that malicious party could achieve with a compromised account.
During external infrastructure testing, a team will attempt to access your internal systems via the internet (from a remote location, outside of your company), replicating the activities of a hacker. They will attempt to access via systems such as your mail server, VPN, firewall and any other systems you have which faces the publicly accessible web.
Web application testing is when a team will attempt to compromise your web application, usually by manipulating data that sits in your web server. In addition, they will try to install and run rogue code which they should not have the privileges to do, this is often referred to as ‘privilege escalation’. They, also, will try to take control of the server which is hosting the website, giving them the ability to delete or copy the entire site and all the data. (Harmless when conducted by penetration tester, but in the hands of a malicious party, this could be catastrophic.)
How Long Does It Take?
The time taken to perform a penetration test depends on many factors, including the size of the network being tested, the experience of the tester, whether the test is external or internal, the complexity of the system and other such variables. We recommend the minimum time to test any system would be one day of testing and another day of report generation.
What is the Process?
- Scoping – Discuss existing technologies and the points of your network.
- Intelligence Gathering – Research and investigation existing systems for information that could indicate potential attack vectors.
- Vulnerability Analysis – Utilising the system & infrastructure assessment, vulnerabilities will be exploited as a proof of concept and logged.
- Exploitation and Escalation – Attacking any weaknesses found in the previous stage. Once successful, privilege escalation is used to benchmark the potential impact of the vulnerability.
- Reporting and Remediation – The team will provide you with a written report on their findings and recommendations tailored to the risks they found.
Can a Penetration Test Be Performed Remotely?
Most types of penetration tests can be performed remotely using VPNs but some tests will require a member of a cybersecurity team to be on-site, such as internal infrastructure testing.
Can It Affect Business Operations?
Penetration tests are performed to assess and exploit vulnerabilities with very little disturbance to the client’s operations. Areas of testing are usually replicated and sandboxed from the live network to minimise the impact on business operations.
At Samurai, we don’t believe in handing in a report and parting ways. We’re here to discuss the vulnerabilities we find within the context of your business and help you find the correct steps to remediation. Our approach is to ensure that all of our clients reach a level of security that reflects their risk and potential impact.