What are the different types of penetration testing?


In this blog article, we describe the different types of penetration testing and various approaches (black, white and grey box) that make up the general range of strategies employed to conduct a penetration test.

There are many different testing methodologies. They are generally categorised into:

What are the different types of penetration testing?

  • Networks (external, internal, mobile, wireless)
  • Applications (mobile, Web, Web service/API)
  • Physical security & Social engineering
    • Phishing
  • Secure code reviews
  • Red teaming

Networks


External Network Penetration Testing

An external penetration test is an authorised hacking attempt against your organisation’s Internet facing servers, such as Web and email servers and ecommerce infrastructure. This test aims to harden the external facing network against attackers attempting to compromise vulnerable hosts from outside your organisation’s perimeter.

Internal Network Penetration Testing

Internal penetration testing aims to identify and exploit vulnerabilities from within your organisation’s perimeter defences. Testers are typically given onsite access (similar to the way employees or contractors could connect to an internal environment). They then attempt to escalate privileges and gain access to sensitive information. For certain environments, such as data centres, jump hosts are used to test remotely via your organisation’s VPN access.

Mobile Device Penetration Testing

BYOD has significantly increased the cyberthreat surface by creating a variable endpoint ecosystem. Employee personal information may be used for social engineering, allowing a cybercriminal to gain a foothold into your organisation, and employee access credentials may be used to attack the portal that the mobile device connects to and compromise sensitive information.

Mobile device penetration testing attempts to bypass authentication on mobile devices including laptops, tablets and smartphones to assess whether stolen or lost devices can be compromised and then used as a pivot to compromise an organisation’s sensitive information. Testing can also assess third party MDM implementations and devices configured with MDM policies.

Wireless Penetration Testing

An insecure Wi-Fi network opens your organisation to a myriad of attacks that could compromise your sensitive information. A Wireless Penetration test aims to detect and exploit vulnerabilities in security controls employed by a number of wireless technologies and standards, misconfigured access points and weak security protocols.

 

Applications


Mobile App Penetration Testing

Mobile App penetration testing is an authorised and simulated hacking attempt against a native mobile application (such as Android, Windows and iOS) that aims to identify and exploit vulnerabilities in an application, and the way it interacts and transfers data with back-end systems.

Web Application Penetration Testing

Untested applications remain the most common point of attack on an organisation. Web application vulnerabilities have resulted in the theft of millions of credit cards and compromised sensitive information for organisations and end users. A Web Application Penetration test targets open-source and commercial software and custom web applications to identify and exploit vulnerabilities relating to authorisation, security configuration and data protection mechanisms.


Web application vulnerabilities have resulted in the theft of millions of credit cards and compromised sensitive information.

API Penetration Testing, including Web Services

A Web Service Penetration Test aims to identify and exploit vulnerabilities in the architecture and configuration of a web service. The purpose of this test is to fortify secure data exchange by demonstrating the ways a cyberattack can compromise a web service and gain access to an organisation’s information assets.

 

Physical & Social Engineering Penetration Testing


Physical penetration testing is the process of identifying and bypassing security controls implemented on buildings, data centres and employee operational security knowledge. All targets and exclusions follow specific pre-agreed criteria. To prevent negative business impacts during testing, the following methods are generally used: tagging unsecured devices, sending an email from unattended devices, identifying and photographing exposed paper documents with sensitive information (in line with the client’s security standards).

Closely linked is: Social engineering penetration testing which replicates how cybercriminals target employees to gain privileged access to protected systems and information by:

  • Tailgating – the tester will attempt to follow employees into secure areas.
  • Pretexting – the tester will impersonate an employee and attempt to persuade employees to divulge confidential information.
  • Baiting – the tester will leave USB keys, infected with malware, inside and outside the building for employees to find and insert into a computer.

Phishing Attacks Risk Assessment & Penetration Testing

A specialised type of social engineering is phishing. It takes only one user to fall prey to a phishing scam for an attacker to gain a foothold in your organisation. A phishing risk assessment and penetration testing service helps you to understand your organisation’s phishing posture and prepare for ransomware and other phishing introduced threats.


A phishing risk assessment and penetration testing service helps you to understand your organisation’s phishing posture.

Baseline Penetration Testing allows you to measure your organisation’s phishing risk. A simulated phishing campaign is sent to all end-users, or just a select control group. By tracking open and click-through rates, the campaign provides key stakeholders with a baseline of the organisation’s phishing risk.

A more advanced Phishing Penetration Test also assesses the performance of the security stack at the desktop/server level and across the inbound and outbound points of the network. These technologies include file extension handling, port filtering, MIMES, type checking, anti-virus, application whitelisting, and proxy filtering.

 

Red Teaming


A red teaming assessment is the process of using all available resources (broad scope) to demonstrate the impact of a targeted cyberattack. This can include identifying and bypassing security controls implemented on buildings, websites, servers, networks or by finding ways to abuse or bypass policy or processes implemented within an organisation. By conducting this type of assessment, you can understand the effectiveness of current security controls and adherence to security policies and procedures in every way that they are exposed to threats.

During a red teaming assessment, testers will mimic the behaviours of a malicious hacker to understand what sort of vulnerabilities exist and what information they may be able to compromise.

 

Secure code Reviews


Secure code reviews focus on identifying vulnerabilities in application source code that could allow exploitation or abuse.

Testers conduct research on how the application is used on a day-to-day basis, identifying its design and business objectives and the existing security controls that have been implemented. Then, using specialised security source code review software, the source code is analysed to identify application inputs, the attack surface, simple coding errors and vulnerabilities.

The vulnerabilities identified include those that can be identified through web application penetration testing as well as many others. During this stage, a hands-on approach is also taken, not only to confirm valid findings, but to identify possible logic flaws or design failures in the application which cannot be discovered using automated processes. Where required, and if possible, weaknesses identified through the discovery stage can be confirmed through actual exploitation. This allows you to understand your risk level to the most accurate degree.

 

Which approach: Black, White or Grey Box?


You will discuss the best approach, to meet your organisation’s needs, with your penetration testing provider during the project scoping stage. Your chosen provider will work with you to develop a customised test plan that will identify the objectives, scope, approach, limitations (e.g. avoidance of disruption of business operations) and legal and confidentiality requirements.

 

White Box

Grey Box

Black Box

All the information that testers require is provided/accessible.

 

Limited information is provided to testers (e.g. logins)

 

No information is shared with the penetration testing team, to simulate an attack from a malicious hacker.

 

This is useful for:

  • Facilitating testing of all known and unknown vulnerabilities.

  • Organisations new to penetration testing, where a pen test is completed following a vulnerability assessment.

  • Where the aim is to also simulate an internal attack.

This is useful for:

  • Where the aim is to simulate an internal attack or an attack from a potential disgruntled employee or from a lost/compromised employee laptop or phone.

This is useful for:

  • Experiencing a simulated malicious attack either as a monitored, learning experience or as a defensive exercise.

  • Understanding what information is available on the Internet that can be used by a hacker for reconnaissance purposes.

 

 

Generally, the less mature an organisation’s cybersecurity and information security management program, the less aggressive and the more collaborative the approach. However, an organisation with a more mature program (and an identified high risk of cyberattack) may cycle between black box, grey box and white box approaches along with regular, ongoing vulnerability assessments. In terms of ROI for a new client, the best approach is white box.

 

Do you forewarn your IT Team?


Another important consideration is whether the management team informs the IT security team about the date and scope of testing. While it is usual for all stakeholders to be informed, there are sometimes specific requirements not to do so, for example, in the case of social engineering penetration testing. A red teaming exercise may use either approach. Borrowed from military terminology, the red team (penetration testing team) can attempt to exploit vulnerabilities either with the blue team’s (IT security team) prior knowledge and collaboration or without. Both methods provide valuable learning experiences for the blue team.

The decision of whether to inform the IT security team, in combination with the approaches and testing methodologies described above, make up the general range of strategies employed to conduct a penetration test.

We hope you’ve found this blog article useful. For more information about penetration testing, download A Guide for First-time Penetration Testing Buyers here >>  In this free guide we answer the questions commonly asked by first-time penetration testing buyers and provide guidance to help you achieve a successful penetration testing experience.

Penetration Testing Complete Guide


Questions & More Information 

Do you have a question about penetration testing? Contact Us today to speak to one of Shearwater’s certified Ethical Hackers. They have extensive experience in providing penetration testing services and assisting clients to achieve and maintain accreditation.

 

What is the difference between vulnerability assessment and penetration testing?


There is often confusion around the role of a vulnerability assessment versus a penetration test. This is compounded by unscrupulous security vendors presenting (and pricing) a vulnerability assessment as a penetration test. Aside from poor ROI, this can give an organisation a false sense of security, when in fact they have only received a basic level service. In the following blog article, we explain the difference, and how regular vulnerability assessments and penetration testing should work together to enhance an organisation’s security posture.

What is a Vulnerability Assessment?

A vulnerability assessment is the process of identifying if an organisation’s systems/applications have potential known security vulnerabilities. It is an automated scan(s) followed by the generation of a report containing a prioritised list of the vulnerabilities found, the severity and generic remediation advice. This is a useful auditing tool for the security team to remediate any errors that could allow a cybercriminal to gain access to the organisation’s systems and sensitive data. The quality of the results is dependent on the quality/recency of the vulnerability scanning software and the ability of the security professional interpreting the results.

How is it different from Penetration Testing?

Penetration testing has much greater potential breadth of scope (e.g. social engineering) and depth than a vulnerability assessment. It should only be conducted by certified cybersecurity professionals who use their experience and technical abilities to mimic multiple types of attack used by cybercriminals, targeting both known and unknown vulnerabilities. Vulnerability assessments are often used to scope a penetration test or as a research tool during the reconnaissance phase of a penetration test. Unlike a vulnerability scan, where identified vulnerabilities are not exploited, in a penetration test, the tester will modify their approach until they can provide proof of vulnerability through exploitation and gain access to the secure systems or stored sensitive information that a malicious attack could compromise.

A penetration test report is customised to the organisation and the scope of the engagement and provides the data that is critical to secure an organisation’s systems and stored sensitive information. It supplies the management team with a fast and proven benchmark of the organisation’s level of risk, at a given moment in time, and prioritises the vulnerabilities found, in order of severity, with detailed and customised advice to expediate remediation. This then provides the IT security team with the information they require to fast-track remediation work, demonstrates the ROI of existing security tools and facilitates the management team’s confident approval of security expenditure.


A penetration testing report supplies the management team with a fast and proven benchmark of the organisation’s level of risk, at a given moment in time, and prioritises the vulnerabilities found.

The Difference Between Vulnerability Assessment and Penetration Testing

The key characteristics of a vulnerability assessment and penetration test are compared in the table below.

Vulnerability Assessment

Penetration Test

Purpose

To scan systems to identify potential ‘known’ vulnerabilities and provide generic remediation advice to improve the security of scanned target(s).

Purpose

To identify and demonstrate proof of exploit and provide customised remediation advice to improve the security of the scoped target(s).

Characteristics

  • Automated process

  • Scanning software scans the entire target(s).

  • Scanning software includes networks, web applications, source code and ASV for PCI DSS

  • Scanning software has signatures to identify unpatched or out-of-date software updates, incomplete deployment of security software, bugs and open ports.

  • Scanning software is limited to identify only vulnerabilities it has signatures for. It cannot find vulnerabilities that are unknown.

  • Results may include false positives and negatives. Results identify potential vulnerabilities.

Characteristics

  • Largely a manual process – using a mix of penetration testing software and custom written exploits

  • The tester may use a vulnerability assessment in the reconnaissance phase of a penetration test and then go on to exploit chosen prioritised vulnerabilities.

  • Demonstrates actual risk by emulating a cybercriminal

  • Types of penetration testing include: networks (external, internal, mobile, wireless), applications (mobile, Web, Web service/API), physical security, social engineering and phishing, secure code reviews and red teaming.

  • Able to exploit known and unknown vulnerabilities

  • Testing is rarely exhaustive – tester focuses attention within the scope of the engagement

Results

An automated report with a prioritised list of the vulnerabilities found, the severity and generic remediation advice.

Results

A hand-written report listing the vulnerabilities and exploits, categorised according to risk level and recommendations for remediation based on key insights into the cyberthreat landscape.

Recommended frequency

Outside of meeting a specific compliance requirement, vulnerability scans should be performed externally to the network and from within at least quarterly, or more frequently for organisations with a high-risk profile.

Recommended frequency

Outside of meeting a specific compliance requirement, penetration tests should be performed at least annually, or more frequently for organisations with a high-risk profile.

 

Together, vulnerability assessments and penetration testing enhance an organisation’s security posture. Both are essential components for achieving a strong cybersecurity and information security program – and a requirement for achieving and maintaining compliance.

We hope you’ve found this blog article useful. For more information about penetration testing, download A Guide for First-time Penetration Testing Buyers here >>  In this free guide we answer the questions commonly asked by first-time penetration testing buyers and provide guidance to help you achieve a successful penetration testing experience.

Penetration Testing Complete Guide


Questions & More Information 

Do you have a question about penetration testing? Contact Us today to speak to one of Shearwater’s certified Ethical Hackers. They have extensive experience in providing penetration testing services and assisting clients to achieve and maintain accreditation. 

Why should I complete penetration testing if I don’t need to be compliant?


For an organisation, not yet, impacted by cybercrime, penetration testing outside of compliance may seem like an additional, unwelcome expense. In the following blog article, we explain how penetration testing is good for (and may even save) your business.

A Penetration Test (also known as ethical hacking) is an authorised hacking attempt, targeting all, or specified areas, of your organisation’s IT network infrastructure, applications and employees. The objective is to strengthen your organisation’s security defences by providing a report identifying and prioritising areas that are susceptible to compromise and advising on remediation. This allows you to understand your level of risk and focus time, effort and money into protecting the areas identified – providing a fast and cost-effective way to enhance your organisation’s security posture and defend against cyberattack.


A penetration test allows you to understand your level of risk and focus time, effort and money into protecting the areas identified.

We could give many reasons why you should conduct penetration testing outside of a compliance requirement, but here are our top 3.

1. Protection from the growing threat of cyberattacks

Cybercrime has risen exponentially, with cybersecurity breaches regularly making national (and even international) news, often the result of a targeted cyberattack. What is less well publicised are the more pervasive, lower profile breaches (often in-passing, opportunistic in nature) which are increasingly impacting small and medium-sized organisations.

For organisations that are yet to adopt a proactive approach to cybersecurity, complacency can be disastrous. Perhaps they are a mid-sized manufacturing, transport or construction business and think they’re not an attractive enough target for a cybercriminal. Think again. With the increase in automated cyberattacks (targeting all and any), and the prevalence of Business Email Compromise attacks which can gain a foothold into an organisation via a less well guarded supplier, you can no longer hope that cybercriminals won’t take an interest in your business.

The cost and inconvenience of recovering from a cyberattack is high (currently averaging US$3.86 million1). In addition to the cost and lost time fixing the damage to your systems and data, plus any potential fines, there is also damage to your organisation’s reputation that can set you back years. Many organisations simply cannot foot the bill and the business is bankrupt.

Penetration testing can markedly reduce the risk of a breach.

2. Your organisation already has a compliance requirement (that you didn’t know about)

It’s not uncommon for organisations seeking penetration testing services to discover that they already had a compliance requirement. For example, if your organisation processes, stores or transmits credit card data, you need to comply with the PCI DSS standard  or risk being fined if your organisation is hacked and customer credit card data is stolen.

And from February 2018, the amended Australian privacy act made the disclosure of cyber breaches to regulators and shareholders mandatory. The penalty for not doing so can be up to $1.8 million for organisations, plus additional fines of up to $360,000 for each board member.

Your trusted information security partner can inform you of any compliance requirements – and work with you to ensure you achieve and maintain compliance.

3. Business readiness

It’s likely that the requirement to meet a cybersecurity compliance standard will become more common in the future, as a result of ever-evolving compliance benchmarks. You may find that the tender you’d like to pitch for or the large client your organisation has just won may require you to meet an information security management compliance standard, such as PCI DSS  or ISO 27001  to be one of their preferred suppliers.

Penetration testing will help your organisation to plan and improve its cybersecurity and it may then be quicker, easier and less costly to achieve compliance, when required.

 

Recommendations


We recommend working with a certified cybersecurity provider to conduct a risk assessment to determine your organisation’s level of risk. You may be surprised at the level of risk your organisation is currently exposed to and may even discover a compliance requirement needing urgent attention.

You can then develop your cybersecurity program and employ an agile approach, using the tools at your IT department’s disposal and your provider’s (such as vulnerability assessments and penetration testing) to measure and evolve the security of your networks and applications to maintain a strong defence against cyberattacks.

We hope you’ve found this blog article useful. For more information about penetration testing, download A Guide for First-time Penetration Testing Buyers here >>  In this free guide we answer the questions commonly asked by first-time penetration testing buyers and provide guidance to help you achieve a successful penetration testing experience.

Penetration Testing Complete Guide


Questions & More Information 

Do you have a question about penetration testing? Contact Us today to speak to one of Shearwater’s certified Ethical Hackers. They have extensive experience in providing penetration testing services and assisting clients to achieve and maintain accreditation.

References

1. 2018 Cost of a Data Breach Study: Australia, Ponemon Institute LLC, July 2018

How do you determine the scope of a penetration test?


Guidance on best practice scoping and the key pitfalls to avoid

The objectives of penetration testing are to provide a level of assurance to match the risk profile (including any compliance requirements) for your organisation, whilst also providing a good ROI. How well your chosen penetration testing provider scopes your penetration test will determine the success of this balance. In this blog article, we describe 3 common variables affecting the scope and cost penetration testing services and the key pitfalls to avoid.

Scoping takes place during the (generally free) initial project scoping phase of a penetration testing engagement. During this phase, a penetration testing expert will ask questions to understand your organisation’s aims and objectives (e.g. achieving compliance) and research the attack surface to be tested to develop a customised test plan and quote. There is no universal price or timeframe for a penetration test, in fact, if you are presented with either it should serve as a red flag not to proceed with that provider.

Generally, scoping errors can go one of two ways, both of which are bad news for clients.

Underquoting: If the provider underquotes, they will be under pressure to make up time and may cut corners – or, perhaps, their pricing model relies heavily on automated scanning tools, resulting in a poorer quality service.

Overquoting: Inexperienced providers may overquote to incorporate scoping errors and the cost of testing tools or the provider’s standard rates may be aimed at large clients with complex testing needs, resulting in inflated costs.

What can affect the scope (and cost) of a penetration test?

The following common variables will affect the scope and cost of penetration testing services:

  1. Pricing methodology: Target count vs measuring the attack surface
  2. Size and complexity of the project
  3. Size and specialisation of the penetration testing provider

 

1. Pricing methodology: Target count vs measuring the attack surface

The most accurate methodology, offering the best Return on Investment (ROI) for clients, is to measure the attack surface – the sum of potential attack vectors (any parameter that can be attacked) in the environment/app to be tested. This approach ensures that sufficient time is allocated to focus on each attack vector and will deliver comprehensive results for the best value.

A target-count pricing methodology (price per IP address or price per page/click) can only provide a rough order of magnitude and shouldn’t be relied upon in isolation or it will likely result in a poorer ROI; with clients potentially overpaying on targets with no/a low attack surface and/or penetration testing providers relying heavily on automated vulnerability scanning on occasions where they find they have underquoted.

2. Size and complexity of the project

The size and complexity of the attack surface is calculated and translated into number of hours/days/weeks of work. The larger and more complex a project, the higher the cost. This takes into consideration any special requirements, e.g. testing outside of normal working hours, onsite, in a production environment and on third party infrastructure, e.g. cloud services. The approach and tools used will also impact the scope and cost. For example, a black box test would likely have a longer reconnaissance phase than a white box test and would be likely to cost more.


An experienced penetration test provider can help their client to develop a risk assessment to identify and focus on defending critical assets.

If the initial scope of a project appears too large and costly, an experienced penetration test provider can help their client to develop a risk assessment to identify and focus on defending critical assets. For example, for PCI DSS compliance – reducing the number of systems connected to, or within the same network segment as, the cardholder data environment will descope a large environment from compliance requirements and keep risk and the cost of achieving and maintaining compliance down.

3. Size and specialisation of the penetration testing provider

Clients may aim to ensure the quality of their penetration testing services by engaging large cybersecurity consultancies or their regular large IT outsourced partner, who has a penetration testing offering. This can be problematic. Large consultancies tend to predominantly work with enterprise clients on complex projects attracting higher daily rates. If your organisation does not meet this profile – e.g. a SME with straightforward testing requirements – it may be more cost effective to source a provider who also services smaller organisations; or it could be akin to hiring a barrister to challenge a parking fine. It is also best practice to engage a provider who is independent from your day-to-day IT operations who can look at your organisation’s IT environment from an outsider’s perspective.

At the other end of the scale, a markedly low quoted price may be indicative of a lack of industry accreditation and/or poor project scoping. The industry has defined minimum standards for providers who have the capability and skills to conduct penetration testing activities. The key requirement for assessing a providers’ capability is the CREST designation. If the provider is not a CREST accredited penetration testing firm, they have not demonstrated the knowledge, skills and understanding to be trusted with your testing activities.

A CREST certified provider that specialises in, and conducts numerous, penetration tests will have the most accurate scoping capabilities to provide you with the best balance of quality service at a competitive price. They will offer you a broad range of penetration testing services and have the latest tools and techniques, plus the ability to author their own custom tools – to give you the best value. They will have numerous multi-certified, experienced penetration testing consultants with preapproved security clearance and will have a process to deliver your penetration testing project as efficiently and cost effectively as possible. And this accumulated knowledge and experience will also provide you with a detailed penetration testing report with valuable insights into remediation actions.

It’s worth taking the time to research and select a proven, reputable penetration testing provider and then to commit to conducting regular testing. This will not only provide the best level of security for your organisation but also deliver the best ROI.

We hope you’ve found this blog article useful. For more information about penetration testing, download A Guide for First-time Penetration Testing Buyers here >>  In this free guide we answer the questions commonly asked by first-time penetration testing buyers and provide guidance to help you achieve a successful penetration testing experience.

Penetration Testing Complete Guide


Questions & More Information 

Do you have a question about penetration testing? Contact Us today to speak to one of Shearwater’s certified Ethical Hackers. They have extensive experience in providing penetration testing services and assisting clients to achieve and maintain accreditation.

How to Avoid Common Penetration Testing Pitfalls


Guidance for Penetration Testing Buyers

There are many pitfalls and mistakes that organisations using, or considering using, penetration testing services can easily avoid. In the following blog article, we discuss ‘what not to do’ to ensure you receive the best penetration testing outcomes.

There are many common penetration testing pitfalls and mistakes that you can easily avoid by:

  1. Researching and selecting the right provider
  2. Having an information security mindset
  3. Not becoming complacent.

 

1. Choose the right provider

Many pitfalls can be avoided by taking the time to research and select a solid provider.

Pitfalls relating to providers include:

  • Purchasing a penetration test that is a glorified vulnerability scan (you can run these yourself – for free!) and a report that is automated, contains many false positives and negatives and generic guidance.
  • Paying for a methodology that charges for testing areas that do not require testing. To ensure that you understand and receive a correctly scoped service, refer to our blog article How do you determine the scope of a penetration test? >>
  • The penetration tester does not have adequate security clearance – resulting in time lost while clearance is obtained.
  • Engaging a large provider who has a pricing model aimed at the needs of enterprise clients, resulting in potentially high costs.
  • Engaging your existing provider who is not a specialist in penetration testing, resulting in potentially higher costs and a poor quality service than could have be achieved by engaging a provider that specialises in penetration testing.
  • Engaging a ‘quick and low cost’ service to achieve basic compliance. You get what you pay for – your organisation may just meet compliance standards but have received a service that is insufficient for its level of risk.

For the 9 characteristics of proficient penetration testing providers and the research you should do before engaging a provider, read our blog article How do you select a penetration testing provider? >>

2. Have an information security mindset


Having an information security mindset is important, not only for the IT security team and management team, but also every employee.

The following pitfalls reflect how not having an information security mindset can be dangerous for your organisation.

  • “Cybercriminals only target large, well known organisations, SMEs are off their radar.”
    This reveals a lack of understanding of the threats posed by automated cyberattack and to the suppliers of a Business Email Compromise attack target. If you need to convince your management team about the benefits of penetration testing, have them read our blog article on the ROI of Penetration Testing.
  • “There is no need for a pen test – the IT department can find any holes in our security.”
    Your penetration tester should be an external, neutral party. The person finding the issues should not be the person responsible for fixing them as there will be blind spots and assumptions that will skew the results. Penetration testing can help validate your IT department’s efforts.
  • “Security was taken care of when the provider installed the system.”
    A set-and-forget approach cannot apply to cybersecurity and information security management. Cybersecurity threats are continually evolving and have multiple points of attack and if your organisation does not keep pace with the level of threat, it is at increased risk.
  • “The security team don’t collaborate with the development team (and vice versa) and neither will partner with the pen testing team.”
    To effectively remediate security issues and prevent future issues, there needs to be collaboration between IT teams throughout any development and penetration testing process. Egos aside, a collaborative approach is essential to achieve ongoing security.
  • “This cybersecurity training/policy doesn’t apply to me.”
    Providing cybersecurity training for your employees is only effective if they complete it and demonstrate the learning outcomes. This especially applies to system administrators and other privileged account holders.
  • “It’s my cloud provider’s responsibility.”
    In the case of a breach, regardless of whether it is a cloud provider’s ‘fault’, it is ultimately your organisation’s responsibility to undertake due diligence to ensure the protection of critical data and customer information. You can request permission to conduct a penetration test on a cloud-based application. If your provider refuses, you can request a letter of attestation stating that they conduct regular penetration testing and have met the security requirements. If they will not provide a letter of attestation, find a provider that will. For more information about roles and responsibilities and the critical activities and controls you need to put in place to reduce risk and utilise cloud computing with confidence, watch our webinar Securing your Cloud Data: Practical Advice to Mitigate Risk >>

3. Avoid becoming complacent

It’s important not to become complacent. Achieving best-practice cybersecurity and information security management is an ongoing and evolving process.

  • “My organisation has done a penetration test, therefore it’s secure.”
    The purpose of a penetration test is to help identify vulnerabilities and suggest remediation. It’s up to you to implement the remediation and commit to maintaining security – such as adding ongoing cybersecurity and information security activities to your organisation’s security management program. And unless the scope was for an end-to-end penetration test, covering the entire attack surface, the test may have focused on targeted areas only.
  • “My organisation is compliant, therefore it’s secure.”
    If your organisation takes a proactive approach to cybersecurity and information security threats and employs measures to meet your organisation’s level of risk, it’s likely that it is well protected – and compliant. If, however, your approach is to just meet the basic requirements to achieve compliance, your organisation may be compliant yet at a high risk of compromise.
  • “My organisation has so much testing that the network is bulletproof.”
    Investing in protecting your IT technology assets is meaningless if you do not also recognise the potential risk from social engineering and phishing. Education must include not only the security team (system admins, database admins, developers) but all employees. Regular penetration testing that includes social engineering will help to identify and benchmark risk, and an ongoing phishing training program can provide your organisation with an ongoing, cost-effective solution. 

We hope you’ve found this blog article useful. For more information about penetration testing, download A Guide for First-time Penetration Testing Buyers here >>  In this free guide we answer the questions commonly asked by first-time penetration testing buyers and provide guidance to help you achieve a successful penetration testing experience.

Penetration Testing Complete Guide


Questions & More Information 

Do you have a question about penetration testing? Contact Us today to speak to one of Shearwater’s certified Ethical Hackers. They have extensive experience in providing penetration testing services and assisting clients to achieve and maintain accreditation.

Demonstrating the ROI of Security Penetration Testing to Management


How do you demonstrate the ROI of Security Penetration testing ? From the management team’s point of view, making the decision to commit to an ongoing cybersecurity budget may be seen as adding yet another expense, with little visibility of a return on investment (ROI). This is particularly true for organisations who are not involved in the riskier areas of application development or ecommerce – perhaps they are a mid-sized manufacturing, transport or construction business – and think they’re not an attractive enough target for a cybercriminal. Think again!

High profile cybersecurity breaches regularly make national and even international news, and are often the result of a targeted attack. What is less well publicised are the more pervasive, lower profile breaches which are more opportunistic in nature and increasingly impact small and medium-sized organisations. This trend can be linked to the sophisticated way in which cyberattacks can now be automated and the introduction of new vulnerabilities resulting from the adoption of new technology and working practices (remote working and BYOD, such as laptops, tablets and phones).


Lower profile breaches which are more opportunistic in nature can impact small and medium-sized organisations.

In a rapidly changing technological landscape, organisations must not only keep pace with the speed of innovation, but also the resulting risks to information security.

Increasingly, organisations are incorporating cybersecurity into their overall risk management policy and business objectives into their security programs, with cybersecurity and information security management fast becoming the domain of management teams, not just the internal IT team. These organisations recognise that cybersecurity and information security are, ultimately, just like any other risk that they face in their business and therefore need to be managed like all those other risks, be they legal, operational, financial etc. They understand not only that they can’t afford a ‘head in the sand’ approach, but that good security practices (and compliance) is a competitive advantage.

For the organisations (predominantly SMEs), who are yet to adopt a more proactive approach to cybersecurity, complacency can be disastrous. With the increase in automated cyberattacks, you can no longer hope that cybercriminals won’t take an interest in your business.

From February 2018, the amended Australian privacy act made the disclosure of cyber breaches to regulators and shareholders mandatory. The penalty for not doing so can be up to $1.8 million for organisations and, with the inclusion of additional fines of up to $360,000 for each board member, the message is clear; take cybersecurity seriously.

Read how specialist web solutions provider The Reach Agency uses regular penetration testing to increase their competitive advantage >>

So what value does a penetration test provide?


A penetration test provides your management team with an extremely fast and proven benchmark of the organisation’s level of risk, at a given moment in time, and prioritises the vulnerabilities found, in order of severity, with advice to expedite remediation. This then provides your IT security team with the information they require to fast-track remediation work, demonstrates the ROI of existing security tools and facilitates the management team’s confident approval of security expenditure.

Explain to management that you can acquire this data in one of two ways, either proactively or via incident post-mortem and, put simply, investing in penetration testing is preferable to responding to a breach from a malicious hacker. The decision of whether to invest in penetration testing is as simple as asking: “Do you want to choose your hacker?”

The difference between an Ethical Hacker and Malicious Hacker


The below is a simple comparison between controlled expenditure on security penetration testing and the uncontrolled chaos that results from having your systems compromised by a malicious hacker. Download this infographic in PDF format here>>

 

Ethical Hacker

Malicious Hacker

 Intention is to help your organisation to succeed

Intention is to extort money or damage your organisation

 Known, proven, highly trained IT professional has access to your IT infrastructure in partnership with your IT department

 Unknown hacker has access to your IT infrastructure

 Careful with your IT infrastructure

 Careless with your IT infrastructure

  You control:

  • Cost (average cost of a pen test $7,000+)

  • Scope and methodology – non-disruptive

  • Timing – convenient

They control:

  • Cost (average cost of a breach US$3.86 million)

  • Scope and methodology – disruptive 

  • Timing – inconvenient

  At the conclusion of testing you are provided with:

  • A comprehensive report listing the vulnerabilities and exploits categorised according to risk level (or at time of discovery for critical/high risk vulnerabilities) and recommendations for remediation to improve your organisation’s IT security.

  • Debriefing for Executives and IT team.

Any data obtained during the test will be treated as confidential and will be returned or destroyed at the conclusion.

 At the conclusion of a malicious breach you could face:

  • A potential ransom

  • Exploited intellectual property

  • Exploited customer data

  • Potential fines and legal ramifications

  • Damaged IT infrastructure and code that takes time/money to investigate and remediate

The whereabouts of any data obtained during the breach is unknown.

Outcome:

Proactive and empowering experience, Improved IT security/compliance is achieved, maintain customer confidence and brand loyalty, security stakeholders have peace of mind.

Outcome: 

Reactive and disempowering experience, damaged IT systems, lost customer confidence, damage to brand loyalty, loss of revenue, loss of share value, security stakeholders have sleepless nights/potential job losses. May bankrupt SMEs.

 

 

When compared in this way, the benefits of investing in penetration testing are self-evident.

We hope you’ve found this blog article useful. For more information about penetration testing, download A Guide for First-time Penetration Testing Buyers here >>  In this free guide we answer the questions commonly asked by first-time penetration buyers and provide guidance to help you achieve a successful penetration testing experience.

Penetration Testing Complete Guide


Questions & More Information 

Do you have a question about penetration testing? Contact Us today to speak to Shearwater’s certified Ethical Hacking Team. They have extensive experience in providing penetration testing services and assisting clients to achieve and maintain accreditation.