Pentesting from a business perspective; Why and How?
Nowadays, 3 words are enough to shake up a company; “We got hacked”. Admittingly, there are more elaborate ways to explain such a situation, but you get the gist. I will not talk about the incident response process following such a cyber-attack but about preventing them from happening. The famous saying goes that “we” need to be right every time, but a hacker needs to be right only once. This is completely true, and as there is no way to prevent ALL cyber-attacks from happening, we need to make sure that ‘one time’ is very unlikely to happen.
To achieve this, you need to make sure that security holes not yet detected within your organization are identified and subsequently solved in a timely manner. Performing penetration tests is a good way to identify them. Penetration testing is a very broad term and there are many different types: Web application, network service, physical, …. We won’t dive into each of them but will talk about the why’s and how’s of penetration testing.
From a business point of view, being the victim of a cyber-attack can lead to all sorts of damage; financial, reputational, operational, etc. For example, if a cyber-attack leads to the unavailability of your systems, you may need to pay costs for the response and recovery activities, it can damage your reputation and result in operational damage. If the attack results in a data breach and personal information was stolen, GDPR fines may follow, and your reputation also takes a hit. Needless to say, being the victim of a cyber-attack has to be avoided at all costs.
If you want to start penetration tests, you might wonder where to start. We’ll go over a process to get you started.
-
Identify what should be tested
Your organization might be vulnerable at a lot of different areas. Penetration tests cost money and your resources are always limited. Therefore, it is very important to prioritize what you are going to test. A good way to determine this is a risk assessment. We won’t go in detail on this as this can be a topic on its own, but the goal is to determine the highest risk components in your organization. Usually, internet facing applications have a high priority as they can be directly accessed by potential attackers. -
Choosing a penetration test provider
The first decision to be made is hiring someone internally to perform penetration tests for you or contracting an external company. The internal option might not be the best option in the long run as people can get bored, they get to know the environment too well and for subsequent tests on the same application, a fresh set of eyes can be refreshing. Choosing an external company is very specific to your needs and generalizing the process is hard. For most companies, the two most important criteria will be expertise & cost. A company might be more specialized in certain types of penetration tests and basing your choice to match their expertise with the type of your test is important. -
Define the scope of the penetration test
Let’s say an attacker is targeting your public website ‘yourcompany.com’. He has a lot of time and resources while a standard web application penetration test usually takes a week or less, depending on the scope. That doesn’t seem like a fair fight. It is crucial to agree upon a scope of your penetration i.e., what the focus of your penetration test will be. This is very specific for each type of penetration test and can not be generalized entirely. In case of a web application, testing for the OWASP Top 10 is a good start but should not be limited to that. Scope definition can be done together with the penetration test provider. In this phase, the penetration test provider can also make a list of all the requirements on their side to make sure the test can be performed as smoothly as possible. -
Setting up and guiding the penetration test
Once the scope is defined, you must make sure the penetration test can take place in an optimal environment. Performing tests on a live system is not advised. It is common that a test breaks the system, and this will result in a downtime. You do NOT want this to happen in a live system. It is highly recommended to perform these tests on a test environment that is an exact copy of the production environment, for the most accurate results. Make sure to inform the people who need to be aware that a penetration test is ongoing. -
Follow-up
This is the most valuable phase for you. All the identified issues in the penetration test will be presented to you and a criticality rating will be assigned to these issues. The industry standard commonly used for this evaluation is the CVSS rating (Common Vulnerability Scoring System) that gives a number ranging from 0 to 10:
• 0.1-3.9: Low
• 4.0-6.9: Medium
• 7.0-8.9: High
• 9.0-10: Critical
Remediation of all found issues is a very important step to complete the penetration testing process. We will deep-dive into this remediation process another time.
Conclusion
It is impossible to find all security holes in your system in a penetrating test and it takes a while to solve all identified issues, hence a risk that an attacker might find a way to be successful in his attempts remains. That is why penetration tests need to be used in combination with a SIEM (security information and event management) that provides real-time analyses of security alerts.
If you are looking for a good-quality penetration test service or need assistance to develop a vulnerability management process, feel free to reach out to us.
References
OWASP Top 10: https://owasp.org/www-project-top-ten/