Penetration testing – the what, the how and the when

The growing sophistication of cyber threats, greater regulatory requirements, and the need to maintain consumer trust has increased the prevalence and importance of regular penetration testing across systems and business operations.

So, what is penetration testing? The National Cyber Security Centre (NCSC) define penetration testing (also known as pen testing or ethical hacking) as ‘a method for gaining assurance in the security of an IT system by attempting to breach some or all of that system's security, using the same tools and techniques as an adversary might’. Whilst we agree with this definition, lets dive a bit deeper.

The objective of a penetration test is to provide visibility of technical vulnerabilities and validate the effectiveness of cyber security controls in preventing exploitation of vulnerabilities. The outcome is a robust view of your exposure and potential risks that have not previously been identified. This objective is achieved through a penetration tester replicating common tactics, techniques and procedures used by hackers to exploit vulnerable and exposed systems. This is a proactive test to provide visibility of what a hacker can see and do, hopefully before they do it.

Not all penetration testing is equal

There are many methods of penetration tests. They are designed to capture the stages that a hacker might be able to achieve, below are some examples of tests that can be run.

Black box testing: during this type of testing, penetration testers are not given knowledge or credentials to systems. The tester is tasked with identifying vulnerabilities and attempting to exploit them to gain initial access to systems. This is typically the starting point for an actual hacker.

White box testing: this type of testing assumes that the penetration tester has been successful in gaining access to systems. They are provided with knowledge and credentials, to go after agreed targets and simulate an attack. This is typically the point after a hacker has gained initial access and acted on their objectives to gain access to target systems.

Grey box testing: this is a combination of white and black box testing. A penetration tester is provided partial knowledge and potentially credentials to some systems with an objective of establishing if it is possible to execute attack TTPs to gain access to target systems.

Should you perform penetration testing?

If you are an organisation that has an online presence, holds information and does anything of value (most organisations), you are likely to be a target of a cyber-attack at some point.

Additionally, if you operate in a regulated sector or hold personally identifiable information (PII) or other confidential information, undertaking a penetration test may be a specific requirement or at the very least a strong expectation of regulators and clients.

Other examples of reasons to undertake a penetration test include:

• to gain an understanding of your risk and exposure. Penetration test findings and recommendations can be used to drive cyber security and control priorities;
• to understand and respond to emerging threats. The threat landscape is ever evolving, penetration testing can be used to simulate that latest threat methods to validate if you are exposed and provide recommendations to reduce your exposure; and
• to avoid potential reputational damage. A data breach could result in a significant impact to your business of which reputation and integrity is critical. As part of a wider security programme, regular penetration testing will proactively identify exploitable vulnerabilities and demonstrate that you take cyber defence seriously.

There are a number of other benefits that come with effective penetration testing, including:

• assurance and confidence of the effectiveness of your defensive controls;
• remediation effort prioritisation; and
• a greater understanding of investment requirements to protect your information, systems and ultimately your business and stakeholders.

When to perform penetration testing?

Depending on your business and its needs, penetration tests can be undertaken in isolation or as part of a wider security programme.

As a business you should consider aligning your pen test schedules with activities such as:

• significant changes to technology including migrations, major alterations to applications and technology lifecycles;
• the introduction of new office locations or integrations of clients and third parties;
• undergoing a business merger or acquisition;
• compliance cycles;
• significant threat landscape change, including events that could impact your sector or geographies in which you operate or have dependencies on; and
• control and remediation effectiveness testing as part of a cyber programme.

How to conduct a penetration test

Penetration tests can be performed by internal teams or by external specialists. Where assurance is required, tester independence should be a key consideration.

Specific consideration should be given to the scope, type and objective of the penetration test as this will be a key criteria for penetration tester skills, time, and cost. Typical penetration tests are focused on one or more of the following:

• external infrastructure;
• internal infrastructure;
• web application; and
• specialist services such as, threat-led, social engineering and physical testing etc.

We have only highlighted some of the many benefits and options for penetration testing, with other more advanced testing options available.

To understand more about penetration testing and what is right for your organisation please contact our Technology and Cyber Risk Assurance team who would be more than happy to help.