Why do Security Testing?
We often get asked why clients need to do penetration testing when they already do vulnerability scanning across their network. There are some fundemental differences between the two approaches and we have outlined them below. So find out why you should do security testing.
How does security testing fit within your Information Security Programme?
It’s important to understand how penetration testing fits within a comprehensive information security program. To ensure you are clear on how security testing links we provide the following simple explanation. For example, why do security testing in conjunction with other security processes.
Vulnerability scanning is not Penetration Testing.
One of the most common questions we get is for example: “we already do vulnerability scanning so we don’t need penetration testing do we“. Vulnerability scans and penetration tests are very different from each other. However both serve important functions for protecting your business environment.
Vulnerability scans and vulnerability assessments search systems for known vulnerabilities. Whereas penetration testing attempts to actively exploit weaknesses in an environment. While a vulnerability scan can be automated, a penetration test requires various levels of expertise. Penetration testing is quite different. For example it attempts to identify insecure business processes, lax security settings, and other weaknesses that a threat actor could exploit. Moreover transmission of unencrypted passwords, password reuse, and forgotten databases storing valid user credentials. All good examples of issues that can be discovered by a penetration test. Finally penetration tests do not need to be conducted as often as vulnerability scans but should be repeated on a regular basis.
In addition, there can also be a relationship with continuous monitoring services. For example Intrusion detection or prevention systems and Data Loss Prevention processes.
VULNERABILITY SCANNING
Automated
Minutes/hours
Scheduled
Passive
Report false positives
Programmed
Identical scans
PENETRATION TESTING
Manual (main difference)
Days
Annually (or after significant change)
Aggressive
Intuitive
Accurate/thorough
Exploitation
APPROACH
PURPOSE
VULNERABILITY SCANNING
Example, Identify, rank, and report vulnerabilities that, if exploited, may result in an intentional or unintentional compromise of a system.
PENETRATION TESTING
Example, Identify ways to exploit vulnerabilities to circumvent or defeat the security features of system components.
WHEN
At least quarterly or after any significant changes to your systems, applications, processes or data
At least annually and upon significant changes. (Refer to Section 2.6 of this document for information on significant changes.)
HOW
Typically, a variety of automated tools combined with manual verification of identified issues.
A manual process that may include the use of vulnerability scanning or other automated tools, resulting in a comprehensive report.
REPORTS
Potential risks posed by known vulnerabilities, ranked in accordance with NVD/CVSS base scores associated with each vulnerability. Most importantly external vulnerability scans must be performed by an ASV and the risks ranked in accordance with the CVSS. Firstly, Internal vulnerability scans may be performed by qualified personnel. Secondly, an external vulnerability scan is conducted from outside the target organization. Thirdly an internal vulnerability scan is conducted from inside the target organization.”
Description of each vulnerability verified and/or potential issue discovered. More specific risks that vulnerability may pose, including specific methods how and to what extent it may be exploited. Examples of vulnerabilities include but are not limited to SQL injection, privilege escalation, cross-site scripting, or deprecated protocols.
DURATION
Firstly, relatively short amount of time, typically several seconds to several minutes per scanned host.
Secondly, engagements may last days or weeks depending on the scope of the test and size of the environment to be tested. Tests may grow in time and complexity if efforts uncover additional scope.
Why do security testing?
Penetration testing involves the use of a variety of manual and automated techniques to simulate an attack on an organisation’s information security arrangements. In addition, it should be conducted by a qualified and independent penetration testing expert. To clarify they are sometimes referred to as an ethical security tester. Penetration testing looks to exploit known vulnerabilities but should also use the expertise of the tester. For example, the expert should identify specific weaknesses and unknown vulnerabilities in an organisation’s security arrangements.
Finally, the penetration testing process involves an active analysis of the target system for any potential vulnerabilities. For example these include poor or improper system configuration. Both known and unknown hardware or software flaws. Operational weaknesses in process or technical countermeasures. This analysis is typically carried out from the position of a potential attacker and can involve active exploitation of security vulnerabilities.
What can you Test?
A Penetration Test is typically an assessment of people, building, IT infrastructure, networks and business applications to identify attack vectors, vulnerabilities and control weaknesses.
The two most common forms of penetration testing are:
Buildings – assessing the ability to access key locations
People – social engineering and checking the lever of security awareness of staff
Application – penetration testing (typically web applications), which finds technical vulnerabilities
Infrastructure penetration testing – which examines servers, firewalls and other hardware for security vulnerabilities
Other forms of penetration testing are also popular, which include:
Mobile application penetration testing
Client server (or legacy) application penetration testing
Device penetration testing, (including workstations, laptops and consumer devices (eg. tablets and smartphones)
Wireless penetration testing
Telephony or VoIP penetration testing
The penetration testing process typically includes:
Conducting research
Identifying vulnerabilities
Exploiting weaknesses
Remediating issues
Reporting findings
The Main Drivers
The main drivers for security penetration testing include a high degree of concern about:
Compliance – a growing requirement for compliance to regulations and standards
Impact – the impact of serious (often cyber related) security attacks on similar organisations
Suppliers – use of a greater number and variety of outsourced services
Processes – significant changes to business processes
Awareness – raising awareness about possible Cyber security attacks
However, establishing and managing a suitable penetration testing programme can be a very difficult task. This is true even for the most advanced organisations. When performing penetration tests, some organisations adopt an ad hoc or piecemeal approach. Often depending on the needs of a particular region, business unit or the IT department. Whilst this approach can meet some specific requirements, it is unlikely to provide real assurance about the security condition of your systems enterprise-wide.
Consequently, it is often more effective to adopt a more systematic, structured approach to penetration testing as part of an overall testing programme, ensuring that:
Business – business requirements are met
Fixes – major system vulnerabilities are identified and addressed quickly and effectively
Risks – risks are kept within acceptable business parameters.
You should develop an appropriate penetration testing programme that will enable your organisation to perform penetration testing more effectively enterprise wide.
Why use AVORD?
There are many reasons why an organisation may wish to choose AVORD as their security testing provider. For example we can help meet the challenges outlined in the previous section.
Other challenges highlighted included difficulties in:
Business Case – establishing a business case for a test to be undertaken
Costs – understanding the costs of external services – and determining the true overall cost
Fixes – remediating system vulnerabilities effectively
Resources – finding a suitable penetration testing expert when required (eg. at short notice).
In order for these challenges to be identified and addressed effectively, an organisation should adopt a systematic, structured approach to penetration testing. This should also be part of a wider penetration testing programme, including the selection and management of external suppliers.