While researching future blog post topics, I discovered that many people are searching on Google in the hopes of better understanding the benefits of having a penetration test done. This is a great question, and it is especially important to understand the answer even if your organization is not governed by regulatory or compliance requirements to have a penetration test done. There are plenty of reasons to conduct a pen test, or red team assessment, on your organization’s technical environment. A few examples include:
- Protecting users
- Keeping customer data secure
- Finding vulnerabilities
- Keeping the overall enterprise secure
Why Should I Consider an External Penetration Test?
Today’s typical enterprise network is no longer an enclosed and controlled environment, like it may have been just a few years ago. Consider the following elements concerning your own network:
- How many sanctioned cloud services are in use?
- How many servers are hosted by AWS or Azure?
- Can the users bring in their own devices?
- Can these devices access any enterprise data?
Even email is extremely vulnerable with the sheer amount of phishing currently taking place. I am not going to drive you into a state of paranoia by continuing this line of questioning; however, I am hoping you can realize why one might consider an external penetration test.
Since our once solid walls are in a much different state now, having your network tested via an offensive assessment is the best way to validate that your protections are still appropriate and effective. An external penetration test, or other similar assessment, will take a deep and systematic look as this border. This type of assessment is designed to specifically look at the assets that face the Internet, so those systems that have a public IP or receive traffic directly via a public IP. It is important to proactively examine all holes, soft spots, and other weaknesses from the perspective of an ethical attacker, or a pen tester, before a real criminal does. This is one of the most effective ways an organization can get the jump ahead of the bad guys and keep themselves, their data, and their customer’s data safe.
What About the Internal Penetration Test?
Regardless of how much we appreciate our employees, the authorized users of the enterprise’s systems are one of its biggest threats. In fact, in September of 2015, Tara Seals of InfoSecurity Magazine posted this statistic, “Among companies experiencing data breaches (and that is to say, a majority), internal actors were responsible for 43% of data loss, half of which was intentional, and half accidental.” The attacker’s method of gaining this access can vary widely. Something as simple as a successful phish of one employee could grant them access to a system that sits inside of the enterprise network. Or, maybe they dropped a raspberry pi or cracked the Wi-Fi. Attackers are by no means restricted to only breaching the perimeter from the Internet. And this is not even considering the power of a malicious insider.
Most enterprise networks are not new – they have been around for a long time – so there are a lot of systems that have gone through the networks over the years, increasing the likelihood that some are missed or forgotten. Chances are pretty high that some of these systems are missing patches, have misconfigured web servers, or a pantheon of other issues that could allow an attacker to gain a foothold. An internal pen test will have the assessors scan, probe, attack, and report their findings. This report will lay out the vulnerabilities found and detail their severity and likelihood so that system admins can begin to remediate or mitigate the issues.
TL&DR (Too Long & Didn’t Read)
Basically, it comes down to this: most networks have been in place for a relatively long time. Hundreds of systems have been life-cycled out, but there are always exceptions. There’s almost always a few systems that were deemed “critical” or “too expensive to replace,” or the remediation efforts were delayed due to pending projects to replace those outdated systems or applications. Projects falter, costs change for equipment, and the criticality of a system may well have changed. Or, if it is critical, perhaps it is time to update and upgrade it so it is more secure and reliable.
A penetration test is a good opportunity to begin with a clean state as well as prioritize issues and fixes. These assessments also provide a very powerful wake-up call to executive leadership that may have been pushing these types of changes off to reduce costs. Regardless of the reasoning and the situation, penetration tests provide a more thorough method for identifying and exploring applicable technical vulnerabilities and risks, as well as their exploitability to help ensure that items of concern can be quickly addressed. They also give a fresh perspective on things that may have gotten stale or fallen through the cracks over time.