Is pen testing a one time effort? Definitely not!

Penetration testing, or as commonly referred to as pentesting or pen testing, is an objective security assessment that simulates a real life cyber attack. The ultimate goal of such testing is to identify vulnerabilities, weaknesses and holes in an organisation’s IT system in a proactive manner.

We hereby take a look at best practices, methodologies and approaches related to penetration testing.

Types of Pen Tests

Penetration tests can be carried out on websites, web applications, iOS and Android mobile apps, and both internal and external networks. White hat hackers create real-world scenarios to check how well the organisations’ protection and defenses would fare against a full-scale cyber attack. These tests can be organised in three streams, namely: black box testing, white box (AKA Clear Box Testing) testing and gray box testing. The difference is predominantly the level of knowledge the ethical hacker has vis-a-vis the systems being tested.

Pentesters will be on the lookout for security holes within the company, bugs in both the infrastructure configurations and the software solutions used within the organisation. During the exercise the tester will document the test scenarios and all the findings across all the completed tests. The crucial point is to uncover the risks before they become critical liabilities. The common aims of penetration tests are to test security controls, find real-world vulnerabilities, ensure adherence to compliance frameworks and to reinforce security posture.

When to run a Pen Test

There are no hard and fast rules of when to run penetration tests but best practices show that pentests are to be carried out:

• prior to the launch of a digital product;
• when there are significant changes to the network/system/application; or
• when new components and modules are installed.

Some regulated industries would have the governing entity specifying when such tests are to be executed.

A typical penetration testing methodology

For a penetration test to be well structured, a staggered approach is the most commonly used approach. The initial phase prior to the test, called the Pre-engagement assessment, covers the goal setting, the requirements gathering, intelligence gaining and scoping of the test or set of tests. In this phase the digital assets that will be tested are identified. Usually both members of the IT team and from the business side are involved in this step.

Once the scoping terms of reference have been agreed upon, the pen tests are executed. During the execution phase the dedicated ethical hacker will simulate actual cyber attacks to penetrate the in-scope systems and assets. The intention is not malicious. Identical or very similar cyber criminal’s scripts, tools and techniques are used to have the scenarios as close to real-world attacks as possible. During the tests, findings and observations are listed down.

All these are then organised in a report detailing all the discovered holes and vulnerabilities. Additional information about how they were exploited is listed together with an action list of remediations required to up the security defenses of the organisation. It is common practice to have a technical report aimed at technical resources and an executive summary for business decision makers such as C-level executives.

The main models of penetration testing considered for the execution phase are: internal testing, external testing, blind-testing (or even double blind-testing) and targeted testing.

Benefits of Penetration Testing

The external testers bring an element of objectivity needed to discover security flaws that could potentially leave an organisation exposed to hackers. The value that pen tests bring to the organisation are summed up below:

• They Discover and outline vulnerabilities that could lead to extensive damage
• They Assess impacts of security flaws on business functions
• They Judge an organisation security defenses
• They Help quantify what investment is required in security resources (both technology and human resources)
• They Aid to proactively protect against data breaches and hacks by recommending security controls updates.

Engagement Models

Pen testing should not be a one-time effort! It should be an integral part of a strategy of ongoing vigilance to keep entities secure through testing. When a company increases or changes its digital surface with new systems and/or components then it is being exposed to new risks that could open the door to cyber criminals. Companies should schedule regular penetration testing to always strive to uncover any possible security weaknesses. Cybergate offers a number of engagement models ranging from buckets of pre-paid hours of effort, to annual retainer based arrangements, to one-off fixed job engagements.

What are the next steps after a pen test uncovers vulnerabilities?

On completion of a penetration test the pen testing company provides a report to management and all the salient points are explained together with the remediation plan. During the implementation of the remediation plan pen testers can double up as consultants and in certain instances another pen-test is re-run to ensure the system was hardened and the holes and weaknesses addressed.

Remember the cardinal rule is to always be proactive and get to know about vulnerabilities before any malicious user can exploit them. Prevention is always better than cure. Discover more about our penetration testing offerings.