Ed Williams at Trustwave shares his essential guide to penetration testing
Security testing should be at the centre of any cyber strategy, serving as one of the primary ways for an organisation to identify issues in its systems, processes and applications. Keeping up a regular schedule of testing using different methodologies will greatly reduce the organisation’s exposure to cyber risk by finding and closing the attack paths most likely to be exploited by threat actors.
However, ‘security testing’ is a deceptively simple term and organisations are often unaware of the depth and breadth of different approaches and techniques it encompasses. Having a solid understanding of, say, the difference between penetration testing and red teaming, is essential if a business is to invest in the right strategy. Without this understanding, firms can end up missing serious issues by focusing on the wrong area or wasting budget on testing that doesn’t match their needs.
Automated scanning or manual pen testing?
The first thing to understand is the difference between an automated vulnerability assessment and a manual penetration test.
Automated assessments rely on scanning tools to sweep a given range of IP addresses or URLs. These scans usually have a broad focus, looking to identify as many issues as possible across the IT environment. Tools can generally be configured to focus on particular vulnerabilities, as well as reporting any discoveries rated by their severity, allowing IT and security teams to prioritise remediation.
These vulnerability assessments benefit from being low cost and easy to manage, so organisations should be aiming to maintain a regular schedule of automated scans. However, while scans are good for gaining a broad view of vulnerabilities, they are often lacking when it comes to depth and context, which can create some issues. Common problems include a tendency towards false positives or threats being given the wrong rating, as well as automated scans reporting multiple issues as separate cases when they actually stem from a single root cause.
Moving deeper requires a penetration test, which involves highly skilled security analysts using a variety of tools to identify, validate and document security weaknesses. Pen testing can start off with automated tools, but the approach is primarily manual. The main difference is the human mind’s ability to be creative and intuitive. Expert personnel can call on years of experience to find attack paths and work on hunches to uncover vulnerabilities that purely automated tests will miss.
Pen testers will provide reports that consider the risks in context to a specific business’ unique structure and risk appetite. They are more labour and cost-intensive than automated scans but should ideally be carried out multiple times a year, with ad-hoc testing when there are significant infrastructure changes such as M&A activity.
Taking things a step further, businesses can also explore red teaming exercises. Here, a team of specialists will assume the mindset of threat actors, aiming to use all their experience and tricks to meet pre-defined objectives, one of which could be to successfully penetrate the network from an external perspective. Meanwhile, the organisation’s security team will form the blue team, attempting to identify and stop the attack as best they can. Skilled red teamers will use every trick in the book, including targeted phishing campaigns on personnel, and even physically gaining access to IT equipment by infiltrating the building. Red teaming is distinct from pen testing and should only be considered by firms with a high level of security maturity.
Delving into different types of testing
Organisations can also deploy different types of tests to address specific elements of their IT environment.
Infrastructure testing for example covers the underlying networks and supporting infrastructure, including hardware, software and networks. Testing can incorporate everything from printers to SCADA systems, so it is important to reign it in with a clearly defined scope.
Elsewhere, web application testing will focus on discovering how applications perform when subjected to attacks from malicious threat actors. Attackers frequently breach web apps by discovering request strings that will trigger errors and cause the app to display sensitive data or grant access to functionality. Tests will use different inputs to root out requests that cause the application to break or throw an error. Web app tests should focus on covering the most common threats using an established framework such as the OWASP Top 10.
Mobile application testing will take a similar approach, interrogating the back-end systems the app talks to in an attempt to subvert controls or retrieve sensitive data. Mobile testing will also explore other areas such as unauthorised or unnecessary access to the device’s data and functionality that could be exploited.
Cloud testing has become particularly important as the pandemic accelerated cloud adoption plans. The main priority is to find and close the gaps between internal and cloud infrastructure that could be exploited. Effective cloud testing requires the solution architecture to be well understood, along with the responsibility and ownership of assets from different partners and suppliers.
Finding the right testing partner
Penetration testing demands extensive experience and specialist tools, which means all but the largest organisations will need to partner with a third party provider. There is a large selection of providers out there to choose from, but organisations need to ensure they find the right fit for their needs rather than just picking the one with the most attractive price point.
Before looking for a pen testing partner, it is important to have a clear idea of what the test is for, and what the scope of the activity will be. The requirements will vary greatly between a test that is simply for good practice, and one that has a specific purpose such as contractual or compliance obligations. The scope will also impact whether the pen testing team needs to have specific experience in fields like cloud or mobile.
Testers with large and diverse teams are usually a good sign, as this generally indicates a broader variety of skills and experiences across different technology stacks and industries.
Being able to boast a set of recognisable industry credentials is a reliable indicator of quality. These include: Security Certified Professional (OSCP), Offensive Security Certified Expert (OSCE), CREST Registered Penetration Tester (CRT-Pen), CREST Certified Tester (CCT) and CREST Certified Simulated Attack Specialist (CCSAS). In addition, asking for references is important as any reliable vendor should be able to name satisfied customers.
Armed with a solid understanding of how security tests operate and the requirements and objectives for their testing needs, organisations can expand their use of tests and start hitting the regular cadence needed to combat ever-evolving cyber threats. By implementing a mixture of automated scans and manual pen testing that fits their own unique operational structure and risk profile, businesses can ensure they are neither missing critical risks nor paying over the odds.
Ed Williams is Director EMEA of SpiderLabs at Trustwave
Main image courtesy of iStockPhoto.com