Data Security, Technical 20th May 2019

Penetration Testing

Rebecca Shaw

Cyber-attacks in Australia surged by 78% in 2018. In fact, that year saw 358,321 such attacks on Australian businesses, making Australia the top regional target for cyber-criminals (Clariden Global, Cyber Security Conference 2019). This combined with the fact that it takes an average of 190 days for a company to detect a data breach means that the need for more cyber-security across Australia’s business landscape has never been more pressing.

In this week’s blog, we explore Penetration Testing and why this powerful cyber security performance test is imperative for any business as part of their security program.

What is a penetration test?

Also known as pen testing or ethical hacking, a penetration test is a simulated cyber-attack on your environment to check for exploitable vulnerabilities. The purpose of the penetration test is to validate the capability of your organisation’s security efforts and provide management with recommendations designed to mitigate those risk areas.

Penetration Test vs Vulnerability Assessment

The assessment will detect issues such as missing patches and outdated protocols, certificates, and services. Regular vulnerability assessments are necessary for maintaining information security. Whilst vulnerability assessments highlight security vulnerabilities and technical threats, they don’t actively exploit identified problems to determine full exposure.

Penetration testing is quite different, as it attempts to identify insecure business processes, lax security settings, or other weaknesses that a hacker could exploit. Transmission of unencrypted passwords, password reuse and forgotten databases storing valid user credentials are examples of issues that can be discovered by a penetration test.

Penetration tests do not need to be conducted as often as vulnerability scans but should be repeated on a regular basis. Penetration tests are also best conducted by a third-party vendor rather than internal staff to provide an objective view of the network environment and avoid conflicts of interest.

Better yet, a penetration test will give you clear, actionable recommendations for mitigating each vulnerability that’s identified.

What’s involved?

A penetration test is performed from the perspective of an attacker with only limited knowledge of your network infrastructure and systems. The goal is to identify vulnerabilities that might pose a risk and determine the business impact of such an exposure.

Testing your defences against the tools and techniques of a skilled adversary will gain you valuable visibility over where your vulnerabilities are, how they can be exploited and what a potential breach would look like.

Types of Penetration Tests

  • External testing will find weaknesses within your Internet-facing infrastructure by targeting company assets that are visible on the Internet. For example, the web application itself, the company website, and email and domain name servers. The goal is to gain access and extract valuable data.
  • Internal testing is when a tester simulates an attack by a malicious insider such as a disgruntled or careless employee or contractors with legitimate access to the corporate network. A common starting scenario can be an employee whose credentials were stolen due to a phishing attack.
  • Blind testing is when a tester is only given the name of the enterprise that’s being targeted. This gives security personnel a real-time look into how an actual application assault would take place.
  • In double-blind testing, security personnel have no prior knowledge of the simulated attack. As in the real world, they won’t have any time to shore up their defences before an attempted breach.
  • In targeted testing, both the tester and security personnel work together and keep each other appraised of their movements. This is a valuable training exercise that provides a security team with real-time feedback from a hacker’s point of view.

Benefits

With mobile users, multiple devices, cloud applications and the like, the attack surface of your business is not only larger than it’s ever been, but it’s no longer contained within the physical boundaries of the office. Organisations have paid millions of dollars in IT remediation costs to get systems back up. In many cases, these systems are exploited using trivial security flaws that take hackers just seconds to compromise. Penetration testing will help you avoid the cost of downtime should a hacker exploit a vulnerability.

Work with us

Penetration testing services can be provided as a one-off assessment, or on an ongoing basis. At AfterDark, we can work with you to develop a recurring vulnerability assessment and penetration testing program for different segments of your environment. With a recurring program we can highlight current exposures in a timely fashion and provide you with trending data that allows you to monitor the progress of your IT security initiatives over time.

No single solution can completely safeguard you but layering different security solutions greatly mitigates the chances of your business being compromised.

To discuss how our security services can help your organisation test your security posture please reach out to Stephen Gibson on 1300 553 101 or sgibson@adit.net.au.

About Rebecca Shaw

Rebecca is a passionate marketing and change management professional with roots firmly in the ICT sector. She is a true believer in the power of communications to deliver transformation and connection.