An Ounce of Prevention: How Penetration Testing Can Benefit Your Organization

What is a penetration test, and what does it do for your organization? What information can be generated by these tests, and how can it be used to strengthen your systems? To begin, it is worthwhile to note that regular maintenance of any system, from putting air in your bike tires to taking your vitamins to installing updates on your phone, will keep those systems running at peak performance levels. This logic applies to the penetration test as well, and this is what I’ll be covering in today’s post: what can be expected as the end result of a penetration test and how these tests can help your organization avoid attacks and defend your systems.

A penetration test is a security assessment wherein the tester uses offensive techniques (designed to mirror those of real-world attackers) to attempt to circumvent the target organization’s network security controls. In the process, the tester will gather security related information on the in-scope systems. At the conclusion of the penetration test any serious or exploitable vulnerabilities will be aggregated into a report for the system owners. The recipient of the report can use it to bolster their security and fix holes, and prioritize remediation efforts.

Not All Penetration Tests Are Created Equal

Penetration testing can be customized to perform at a variety of levels. At its most basic, a penetration test will be performed against an organization’s public-facing infrastructure. This means that websites, webmail, VPN, etc. will be tested from the perspective of an external attacker. External penetration testing is a critical component to a healthy IT security program. This level of testing will help to identify and verify vulnerabilities before they are discovered by a malicious party. Penetration tests become more complicated and generate more useful information as the scope of the test expands.

Creating a more inclusive and comprehensive picture of an organization’s security systems would require the implementation of an internal penetration test. This type of test involves a different approach, as the attacker being simulated is now a malicious insider or an attacker that has breached the perimeter. An internal penetration test will detail the effectiveness of the network security, segmentation, SIEM, incident response, data-loss prevention, etc. Many organizations have ignored the risk of an insider threat, choosing instead to trust their employees and their perimeter controls. Unfortunately, as malware and ransomware attacks have shown, this is not a sustainable strategy. Performing an internal penetration test is not a statement that insiders should be untrusted. Given the complexity of modern attacks, it should be viewed as a way to strengthen security controls internally. By improving these controls, an organization can significantly reduce the risk posed by malicious insiders, accidental insider threats, and those attackers that may breach the perimeter controls.

Boxing Up the Penetration Test

In both of the penetration testing examples laid out above, an additional factor must be considered during planning and scoping. In either testing scenario, the organization must determine the amount of advanced knowledge they will provide the tester. This is represented by the Crystal Box, Gray Box, and Black Box paradigms, which dictate that the tester is provided with significant details about the target environment for a crystal box test, a moderate amount of knowledge for a gray box, and as little information as possible is divulged to the tester performing a black box test. The level of knowledge the tester has about the system is intended to demonstrate what an attacker with a similar level of information would be able to accomplish within the system. Find more details about CynergisTek’s methodology for Crystal, Gray, and Black box testing here.

What is the End Result of a Penetration Test?

At its core, a penetration test measures the ability to actually compromise the in-scope systems and assesses the impact that exploiting those vulnerabilities has on affected systems and resources. Pen testing is one of the most effective methods of finding vulnerabilities in systems and networks before the criminal attackers find them. There are aspects of and approaches to penetration testing that can’t be covered in a single blog post, such as an Adversary Simulations, Red Teaming, Social Engineering, and a great deal more. Some of these may be covered in future blog posts, so stay tuned, and remember: an ounce of prevention is worth a pound of cure!

May 6th, 2016|

About the Author:

John Nye is Vice President of Cybersecurity Strategy for CynergisTek and has spent the majority of the last decade working in Information Security, half that time working exclusively as a professional penetration tester. Besides testing and improving security, John has a passion for educating and informing the public. He accomplishes this by presenting hacking demos regularly at industry conferences and groups as well as writing blog posts for CynergisTek and industry publications. Nye’s specialties include Wireless, web, and system penetration testing, user education and public speaking, information assurance, security auditing, policy compliance and writing, and security research and analysis. Some of his industry certifications include CISSP, Licensed Penetration Tester (LPT) and Certified Ethical Hacker (CEH).