Penetration testing is about finding the problems organizations don’t know they have

668

If you’re in the business of selling cybersecurity equipment and services, this is a good time to be alive. Business is booming to the previous year. These rises echo similar spending increase going back a decade and a half.

It’s unsettling, then, that despite all the money being poured into cybersecurity, the number of successful attacks continues to grow year on year, a trend that shows little signs of slowing.  It sounds like a paradox: organisations have decided to invest in cybersecurity systems despite the apparent success of the bad guys in bypassing them.

While it’s probably true that the attackers have simply evolved faster than the security systems facing them, it’s worth considering other explanations, including the obvious one that the market is simply growing because a wider selection of organisations now sees cybersecurity as essential than was the case in the past.

Then we come to a second possibility: cybersecurity systems are designed to fix known problems, leaving a class of unknown issues unaddressed. This isn’t the fault of security equipment and is something that arises from the sheer complexity of modern IT.

Rise of the penetration test

Penetration tests started becoming popular in the early 2000s as organisations started to understand this issue. No matter how good an organization’s cybersecurity practice, problems such as misconfiguration, oversights, unpatched software vulnerabilities, and employee error are simply too numerous to be eliminated under real-world conditions. Penetration testing emerged as a way of spotting these issues before attackers get to them by simulating the techniques used in real attacks.

Organisations undertake penetration tests under pre-agreed terms to find hidden and sometimes quite specific weaknesses and vulnerabilities. What a penetration test gives organisations is visibility on all the weaknesses they don’t know about, including ones that relate not simply to equipment but processes, policies and even employees. If a weakness is found, it is not exploited, and data privacy regulations are always accommodated. 

The classic penetration test undertaken by every organization at some point is external, that is its starting point from outside the network firewall. Increasingly, however, this is being supplemented by internal tests that assume an attacker already has a foothold inside the network. Today, many attackers try to take short cuts by stealing privileged credentials or exposed resources such as remote desktop protocol (RDP) or FTP servers, which means that internal testing is now often seen as a necessary follow-up to any external test.

As penetration tests have become mainstream, more specialized tests have become popular, including black box testing, where the tester starts the exercise with zero knowledge of the network being tested, and red teaming, a real time exercise lasting days or weeks which tests every aspect of an organization’s security, including physical security and employee behavior. In addition, penetration testing companies also often test specific applications, carry out vulnerability assessments, and look for vulnerabilities in web applications.

Benefits of penetration testing

As already outlined, the point of a penetration test is to find complex, hidden weaknesses that only become apparent under real-world conditions. However, as important is that these tests are conducted by an outside agency and are therefore independent. This avoids the conflict of interest and political problems of having an IT department audit the network it manages. At the end of a penetration test, the customer gets a report outlining any weaknesses that were found, how they might lead to a compromise, with fixes suggested in order of priority.

The limitations

One issue with penetration tests is cost. Obviously, the more extensive the test, the more expensive, and organizations need to consider having a second follow-up test to ensure reported weaknesses have been fixed. Because networks constantly change in a way that reveals new weaknesses, many organizations now schedule tests. Nevertheless, this isn’t always practical for smaller organizations lacking the budget for regular exercises.

A tricky situation can arise where a test reveals the weakness of a legacy system that is old or out of date. Often organizations can’t easily fix these and must make do with additional security or mitigations that isolate these systems as much as possible. A penetration test can reveal where this type of weakness lies but it doesn’t necessarily solve the issue on its own.

Conclusion

In some organizations, penetration testing is becoming something they undertake on an almost constant basis. Competition for business is fierce and services are becoming more automated and commoditized. However, a good penetration test is still about the quality of the testers who carry out the test and the ability of the in-house IT team to address the problems they find. Penetration tests are not a panacea, but they should now be a big part of the security toolbox.