10 Dec What pen tests include. An interview with Cybergate’s CTO.
What do pen tests include? An exclusive interview with Cybergate’s CTO – Francesco Mifsud
A leading technologist sits with Cybergate International’s CTO and together they discuss the ins and outs of Penetration Testing in this day and age.
Why are pen tests important?
Pen tests are crucial as they identify vulnerabilities before hackers do. Vulnerabilities are weaknesses and holes in an organisation’s systems, applications, networks and infrastructure. Licensed businesses, such as banks and finTech companies, need pen tests as part of their regulatory obligations.
When one closely analyses the costs involved when an organisation is compromised, we can safely state that pen tests are money saving exercises. Let me elaborate. When an organisation is hacked the given organisation will incur fines such as from the data protection commission, will need to fight reputational damage and will definitely lose revenues due to downtime.
It is a matter of when, not if, your organisation is attacked. Better be proactive and harden your surface. As cliche as it sounds ‘prevention is always better than cure’!
Are they enough to stop cybercriminals from breaching organisations?
Pen Tests are one of the most important blocks in the whole cyber security picture. Phishing simulations, cloud vulnerability assessments and cyber awareness training are also very important in the hardening of one’s defences.
Are pen tests a one time exercise, or should organisations schedule regular pen tests?
Pen tests should be held regularly. There is no hard and fast rule as to when they should be carried out, apart from when it is imposed as a regulatory obligation. Periodically, penetration tests should be carried out when there are updates or upgrades to applications, when new interfaces or integrations are implemented, when the source code is refreshed or new code is added to the code-base of a system.
From an external perspective, hackers are always refining and discovering new techniques, to find and eventually exploit vulnerabilities and hence it is essential to ensure your system is protected against these as well.
What is achieved through a pen test?
A pen test discovers any vulnerabilities, which would in turn be addressed by the internal team of developers – therefore it is fair to say that pen tests instil trust. Some organisations even publish pentest reports to transmit a sense of trust and credibility to their clients.
In certain cases pen tests are an integral part of due diligence, such as during mergers and acquisitions. Pen tests help organisations enjoy the confidence of their stakeholders. Having your security upped can serve as a competitive advantage in the market, as well!
What are the latest trends in the world of pen tests?
You might have followed on the news the hack of Nomad Bridge whereby smart contracts were compromised due to legacy code. Finding vulnerabilities due to deprecated and legacy code is a common occurrence, when conducting pen tests.
Broken access control is another area which we frequently encounter. In this case, since systems nowadays are integrating a myriad of APIs – a good number of endpoints would not be well secured allowing cyber criminals to call the API directly and subverting the application’s logic.
When looking at the internal aspect of an organisation, a common flaw is that networks are not properly segregated or not segregated at all. With the advent of remote working, we started coming across a larger than usual number of externally open ports. When working from home, ports are opened for employees to access resources which would’ve only been accessible internally – and, more often than not, this is not done through secure VPN connections.
One last trend is the increased digital surface of organisations. More digital touchpoints are being rolled out and more complex systems are being launched. When running multiple digital systems specific pen tests would be required.
Can you please elaborate more on this last point you’ve mentioned?
Pen tests would need to be carried out on mobile apps, web apps, and infrastructure (internal / external); cloud assessments should also be done. As an example, a SaaS product would benefit from both a web application pentest as well as a cloud security assessment. Testing one whilst neglecting the other would result in hackers obtaining access via the untested avenue. After all, hackers follow the path of least resistance.
In a nutshell, can you touch upon which tests are carried out for each of the areas / tests you just cited.
Yes definitely, I’ll try to keep it brief.
For mobile apps, the pen test would take the following into account:
- Owasp Mobile (Top 10)
- Data Storage and Privacy
- Authentication and Session Management
- Network Communication
- Code Quality and Build Settings
- IOS & Android Best Practices
- Reverse Engineering
- Malware detection
- API endpoints
- Code Review
- Adherence to Best practice
When it comes to web apps our testing covers:
- OWASP(Top 10)
- Information Gathering
- Configuration and Deploy Management Testing
- Identity Management Testing
- Authentication Testing
- Authorization Testing
- Session Management Testing
- Data Validation Testing
- Error Handling
- Code Review
- Business Logic Testing
Infrastructure pen tests, which covers both the internal and external aspect, includes:
- Information Gathering
- Port & Service Scanning
- Hybrid Vulnerability Assessment & Extended Manual Testing
- Network Segregation Testing
I also mentioned Cloud assessments, which are not pen tests per se but are key to protect your data. Cloud assessments include:
- Identity and Access Management (IAM)
- Virtual Machines (EC2) and Security Groups
- Databases, Storage & Disks
- Logging & Monitoring
- And Other Services
To conclude this short interview, what would be the first step to take, to conduct a professional pen test?
System identification is the starting point. Compiling a digital asset/s inventory also helps. A priority list follows. From experience, usually, external pen tests take precedence. Priority is normally based on business criticality. A business critical aspect is for example how sensitive the handled data is (of an application or system).
Learn more about our pen tests. Request a quote.