Penetration testing is a simulated cyberattack that you launch against your own computer system, for the purpose of discovering any vulnerabilities. The process can be somewhat expensive and it’s also time-consuming – but consider the alternative, which is not knowing whether or not your network is capable of withstanding an attack. No business owner wants to live with that kind of uncertainty, so conducting some comprehensive penetration testing is far more attractive by comparison.
How To Go About It
This is not something you should attempt on your own, because you may end up doing more harm than good. You’ll need to bring in some security experts who can safely conduct the testing for you, so that your network suffers no damage in the process. They will also be able to offer you some keen insights and takeaways from the results of the testing. Ideally, any weak points in your network will be discovered, and you’ll have the opportunity to shore them up before a cyber attacker exploits them.
Your security experts will provide expert guidance during all phases of the penetration testing, before you start, during the procedure, and in the aftermath. There are several different types of penetration testing, and the one which would be best suited for your business will depend on the kind of business you have and the level of complexity of your network. The major forms of penetration testing are described below.
Web Application
As its name suggests, this type of testing focuses on web applications. Testing web applications is generally fairly detailed and also fairly time-consuming. Businesses are using more web applications than ever, most of which are easily available and often rather complex as well. Most of the exposed attack surface is the web application itself, and some apps are more vulnerable on the server side, while some are more exposed on the client side. Regardless of which side is the more vulnerable, every web application used by your business increases your attack surface to external elements, and increases the risk of an attack. Even though this kind of penetration testing can be costly and very lengthy, it is crucial to perform such testing because of the high risk presented by web applications.
Network Infrastructure
This is probably the most common type of penetration testing, and it’s the one most people think about when they envision penetration testing. There can be several different ways to conduct this kind of testing, depending on what you want to focus on. For instance, you may decide it’s more important to focus on your network’s external structure, and bypass poorly established external firewalls. On the other hand, you may want to focus more on internal infrastructure, and avoiding a Next Generation Intrusion Prevention System (NGIPS).
For internal testing, you would pay more attention to testing segmentation policies, which causes an attacker to emphasize lateral movement in your system. When dealing with external testing, the attack would focus more on protecting the perimeter, and all the exposed surfaces, for instance bypassing a Next Generation Firewall (NGF). Staged network attacks generally include bypassing endpoint protection systems, stealing credentials, testing routers, discovering legacy devices, intercepting network traffic, and discovering third-party appliances attached to the network.
Social Engineering
When you conduct social engineering testing, it involves baiting, pretexting, and phishing. Given the fact that human employees are often the weakest link in any network chain, it is essential to carry out this kind of testing. In a nutshell, the idea is to try and get an employee to click on a link in a bogus email, or to take some other kind of action that will compromise your system. Once an attacker has an entry point into your network, they can literally do anything. Clicking on a bogus link will generally have the effect of authorizing access to the attacker, downloading malware, or provide credentials to the attacker. Carrying out this kind of testing will reveal how vulnerable your business is to human mistakes, and it will point up the need for better security training.
Physical Security
This form of penetration testing focuses on all the physical ways that a cyberattacker might gain access to your building or to business-critical information. Discarded papers or documents may have confidential information that can be used to gain access to a building, or to compromise security in some way. When an attacker has access to your building, it then becomes possible to eavesdrop and gain knowledge of important data, or they can plant listening devices to record conversations between executives and managers. This kind of penetration testing doesn’t usually receive as much attention as digital security, but it can be just as important. For instance, no matter how great or sophisticated your network security is, it can be compromised by an attacker who discovers valuable information from a physical penetration of your building.
Wireless
Penetration conducted on wireless systems explicitly seeks to test the vulnerability of any wireless networks you have in place. Any wireless network that may be configured in an improper manner, might well be exploited by a knowledgeable hacker, especially if there is weak authentication. If your wireless network has weak protocols, they can be exploited by someone outside your building. The importance of this kind of testing can hardly be overstated, since businesses are using more and more mobile devices all the time. But those devices aren’t always properly secured, and if employees use their mobile devices on unsecure, open networks, it’s very possible for a hacker to exploit that to their own advantage.
Closing
Most companies choose to do a light Pen-Test or check a box by auditors or some regulatory requirement such as testing firewalls or a web application neglecting other entry points. Cyber-attackers will choose whatever is best for them. Time/reward/ data worth and so on. Typically they will choose easiest and direct way to the data without making too much “noise”.
If you are an IT manager or CISO please think out of the box.
Think like you the Hacker, knowing what you know will help you to make the most of your penetration testing project and not just checking a box.
About The Writer
Mr. Behar founded 2Secure in 2003 and this is his 2nd business.
Prior to his move to the USA from Israel he worked as a security consultant for Avnet Cyber & Information Security LTD. providing information security guidance to various clients including government, financial and privately held companies.
Since 2004 Mr. Behar is constantly growing his business and sets the future vision and direction of the company. He likes to meet each client personally, providing a personal touch, along with his expertise in Cyber Security and business development.
Mr. Behar has over 24 years of an extensive experience in the IT world.
You can contact me by email: cyber@2secure.biz
