Cybersecurity Blog | Ingalls Information Security

Foundational Control: Use Penetration Testing To Find Security Holes

Written by Jason Ingalls | Mar 20, 2019 4:00:00 AM

This article is part of our weekly series on how to manage cybersecurity risk for businesses. If you'd like to download the complete 8-point guide, click here to sign up and get the entire guide for free!

This week, we'll discuss how testing businesses by doing a cybersecurity penetration test can help minimize the risk of being hacked. We discuss the various types of testing, the benefits of each, and what you should expect and get out of performing a penetration test.

Some hackers actually get paid to break into their victims' networks or systems, explain how they did it, and help the victim fix the problem before other hackers figure it out and use the same methods to steal, destroy, and generally create chaos. These professionals are known in the cybersecurity industry as "white hat" hackers, and their job is to perform penetration tests for businesses and organizations that want to make sure they are aware of any vulnerabilities that a "black hat" (i.e. criminal) hacker might use to create an intrusion. Penetration testing is as much art as science, and the best "pentesters" are able to mix intuition and an amazing repertoire of technical wizardry to "find a hole" and exploit it so that they gain full control of an IT environment. By doing so, they identify ways that a business can reduce their "attack surface," or the amount of technology that is exposed to potential attackers, as well as plug any vulnerabilities in systems that are accessible from inside or outside of a computer network.

The biggest reason for a business to engage a penetration test is to determine whether or not someone skilled in offensive cybersecurity can defeat the various security controls that the business has and gain unauthorized access to sensitive information. Think of a house whose owners want to prove how safe the security system is; they can hire professionals to try and break in. If they are successful, the intruders explain what happened, how, and what should be done to close any gaps that were used in the break-in. The same thing happens in a penetration test, only instead of replacing or upgrading locks on doors and windows, a business may need to re-configure the network firewall and apply some critical patches to its servers.

Below are some general rules of thumb about engaging a penetration test for a business:

Test the Outside AND Inside of the Business Network

Many cybersecurity firms will sell you an "external" penetration test that only considers your Internet "footprint," or the Internet IP addresses, websites, and services that are connected to your organization's computer network. Generally, any time an external penetration test has a finding that significant, it's probably not the first time the vulnerability was discovered, and the test is probably not going to catch other, deeper problems in the organization because it's not designed to do so.

Penetration testing should include "internal" penetration testing to understand what an attacker with access to a computer inside the organization might be able to access. This replicates the real-world scenario of an employee clicking on a phishing email and downloading malware that gives attackers access to the employee's workstation; what can they do next? A good penetration tester will be able to map out the inside of a business's network, identify vulnerabilities in configuration or lack of patch management, steal credentials, and generally determine what kind of damage a real attack would cause. Make sure that any penetration test that is performed includes internal testing as part of the testing scope.

Get a Pentest at least Annually

By getting a penetration test done at least annually, organizations can ensure that they understand the IT security controls from an attacker's perspective, and that any changes since the last test get considered as part of the test. Remember that a penetration test is only a "point-in-time" look at an organization's IT security, so more frequent testing will uncover vulnerabilities and risks faster.

Test Web Applications and Software Differently Than Your Office Network

A typical external/internal penetration test will look for websites, apps, and other services and attempt to determine if any vulnerabilities exist. However, dynamic websites and sites that have a lot of features may require additional focus and effort; they may require you to get a Web Application Penetration Test performed. These "web app pentests" are focused on the specifics of a dynamic website and involve more than just enumerating the web applications or services, but testing access at different levels (public, private user, super user) as well as things like input and output sanitation at a code level. Make sure to ask your cybersecurity testing services provider about whether or not you need this level of testing if you are hosting business critical software applications that are Internet-exposed.

Plan Ahead When Scheduling Testing

When you decide that it's time for a penetration test, make sure to give yourself time to schedule the test AND time to resolve any issues that may be discovered during testing. Some companies are required to get a test or have policies that dictate how often they get testing, and it's common for there to be a surge of test requests at the end of each calendar year, as companies struggle to achieve their testing goals. Cybersecurity firms can have availability issues due to everyone deciding at the last minute to schedule and execute testing to meet their goal deadlines, so getting a test scheduled early guarantees availability and timely execution.

Provide Management Responses to Test Reports

Once a test has been performed, a penetration test report will be provided to the business that explains the scope of the testing engagement, how the test was performed, findings from the test (results) and recommendations based on what was discovered. It's important that the business review this report and respond to the findings. This is generally called "management response," and allows a business to manage any issues discovered during the test by:

  • determining a course of action for any finding or vulnerability discovered;
  • identifying and documenting what will be done;
  • assigning the task to a responsible party, and;
  • setting a deadline to have the task complete by.

This is the best way to get the most value out of a penetration test, because business leadership can always look at the copy of the test report with management responses to determine if the recommendations in the report were followed, and the next test should take into consideration any findings, recommendations, and actions taken to determine if the actions had an impact on the organization's security posture.

If your business or a client needs expert penetration testing, please contact us today to schedule an engagement with Ingalls Information Security!

Join us next week when we discuss how to make sure your SMB clients have secure accounts and passwords. We discuss the various types of multi-factor authentication, the dangers of password reuse, and how to use password managers to protect sensitive account information.

This article is part of our weekly series on how to manage cybersecurity risk for businesses. If you'd like to download the complete 8-point guide, click here to sign up and get the entire guide for free!