Understanding Penetration Testing

Most Businesses use penetration testing to validate their organizations security.  Moreover, the demand for penetration testing and security assessment services globally is growing year-on-year. The growth is largely driven by businesses needs to comply with Governance, Risk, and Compliance requirements. Additionally, there is an evolving pressure to be seen to be taking information security and data privacy seriously.

93% of business outsource their penetration testing requirement to specialist consultancies. The majority of those consultancies provide traditional consultant driven testing. However, the penetration testing market is changing and more and more we see automation attempting to provide the capabilities of human testers.

Complexity of Solutions

We also notice that the complexity of solutions provided by consultancy firms is growing. Combining terms such as security assessment, pen testing, red teaming, purple teaming, vulnerability scanning can be confusing. In addition, they are creating hybrid models of all the above.

While business and industry may not agree or reach a consensus on commonly used security testing terminology anytime soon, we can at least help you differentiate between the various offers and how they complement each other.

For those responsible for setting up or maintaining a penetration testing department capable of delivering business requirements has a difficult job.  Tasked with the process of having to decipher the language and identify the right service is proving more difficult. Moreover, the failure to get it right is not only financially costly but may also be career-ending if later proven to be inadequate.

Explaining the Testing Landscape

Understanding Penetration Testing can be made easier with some simple tips. Firstly, the penetration testing methodologies and delivery activities are designed to highlight threats represented by an attack vectors or exploitations. Additionally, a major differentiator between the majority of testing methodologies come down to 2 key points. Firstly, identify the presence of a vulnerability within your environment. Secondly to exploit and subsequently propagate an attack through that vulnerability. The former is generally associated with compliance and controls taxonomy. Meanwhile the latter is for closer to the description of a penetration test or an ethical hack.

How to Scope A Penetration Test

The Penetration Test Management process is split into two main factors that dictate the result of any tests. Firstly, the level of detail the clients provides to the tester. Secondly, The range of techniques and testing tools the tester is allowed to be used. Risk reduction, Compliance or attack simulation are often the key drivers for the body of the penetration testers remit. This helps you in Understanding Penetration Testing.

Penetration Testing Process

Common Terms

Let look at the common terms used in organising a pen test.

Traditional Approaches

Vulnerability Scanning – The use of automated tools to identify potential vulnerabilities in devices, assets applications and code. network devices such as firewalls, routers, switches, servers and applications. It focuses on finding potential and known vulnerabilities to all assets and provides a criticality rating for each one.

Black-box Testing – A penetration testing method in which the internal structure, design and implementation approach of the item being tested is not known to the tester. Black-Box testing focuses on inputs and output of the asset without bothering about internal knowledge of the workings.

Grey-box Testing – a combination of white and black box. Related to the methodology used for Black-box testing, but with a partial degree of insider knowledge of the internal workings. As the ability to receive some information about the target.

White-box Testing – software testing method that uses the same tools and methodology to the Black-box tester, but the consultant is supplied with all the information about the taregt in terms of design, structure and implementation documentation. The details about the asset being tested are known and shared with the tester.

Security Architecture Reviews – ability to take an overview of the complete system architecture to provide the most effective security controls. With full access to all areas of business and often use documentation such as configurations, reference architecture diagrams, process document and key personnel interviews. This allow them to understand the current state of your technical security posture and to provide insightful improvement recommendations based on security industry best practice guidance.

Red-team Testing – closest test to a real live attack. Involves the practice of rigorously challenging plans, policies, systems and assumptions by adopting an adversarial approach. The consultant will try to exploit any vulnerabilities they reasonably believe will provide access to client systems. By assuming the role of an attacker, they show businesses key weaknesses and approaches that pose a threat to their cybersecurity.

Secure Code Reviews – an inspection of code using automated and manual code analysis techniques to highlight key security issues, vulnerabilities, and weaknesses. Should be built into an project information life cycle to ensure quality of the development process.

IT Controls Audit – determines whether computer controls effectively support the confidentiality, integrity, and availability of information systems. The audit may include validation against multiple compliance standards and use a mix of automated, manual, and questionnaire-based evaluation techniques. General computer controls include controls over the information technology environment, computer operations, access to programs and data, program development and program changes.

Understanding Penetration Testing – Hybrid Approaches

As mentioned earlier, the penetration testing market is changing and in recent years has evolved further with the addition of hybrid services and community-sourcing solutions.

Penetration Test Management Platforms – online subscription-based platforms attempting to help businesses consolidate and streamline the testing process. Companies like AVORD work closely with business to consolidate all their systems, projects, tests and scoping requirements in one online platform. This allows businesses to quickly monitor all tests across the business and see one version of the truth for all tests and test results. AVORD also provides a fully vetted marketplace of tester to complete the work.

Automated Breach Attack Simulation – simulation & remediation service usually in the form of a platform or tool. Acts as a fully automated purple team, enabling organizations to continuously identify all attack paths to their critical assets and receive prioritized actionable remediation. Receive actionable prioritised remediation advice to fix the issues found. Operating Continuously a BAS solution can be a useful addition to any penetration testing process.  Allows enterprises to move away from expensive, manual ‘point-in-time’ testing to a fully automatic Cyber Attack Simulation & Validation capability. It also delivers proactive visibility of risks and the big lift in IT hygiene.

Bug Bounty Programs – A bug bounty is a reward scheme that incentivises any tester who finds critical flaws in a company’s software. Mainly uses crowdsourced penetration testers from any country using a managed platform to share code and other company information for tester to evaluate. They are rewarded for every critical vulnerability they identify in the client’s assets.

Purple Team Testing – a growing testing solution that uses a hybrid approach combining Red team and Blue team activities. For example, the experienced attackers work with defender teams. By sharing their attack methodologies and approach to successful attacks with the Blue team they help to improve security controls, detection and response times.

Disaster Recovery Testing – multi-step drill of an organization’s disaster recovery plan (DRP) designed to assure that all business assets and information technology systems can be restored in the event of a catastrophic event. Designed to test an organization’s capability to respond and recover from common hacker-initiated threats and disaster scenarios.

Conclusion

Understanding Penetration Testing choices and many parts involved in conducting and successful test it’s important to consider the terms and approach mentioned above. Additionally, it’s essential to be clear on the scope of each test and what you are trying to achieve. Finally, it’s important to understand the differences in the types of tests and use them appropriately for the best results. There is no magic bullet when it comes to testing and a hybrid approach is the best solution.