Penetration testing
The true test of your security defenses is when they are attacked. Using the same tools and techniques as organised criminals we attempt to hack into your systems. This is known as a penetration test or ethical hacking. Testing is only performed with proper authorisation, and follows a clearly defined methodology. At the end of the test you’ll receive a report of the security issues, their impact, and what you can do to fix them. Different systems carry different levels of risk, and tests can be tailored accordingly.
An unknown quantity
Many people assume that with firewalls and antivirus software in place, their systems are safe from attack. All those organisations who have been victim to a network intrusion would have thought the same. How do you know how well protected your systems and data are to a hostile attack? Have you actually performed a risk analysis of critical areas and the effectiveness of your security measures?
The biggest threats may be unexpected; perhaps a disgruntled employee seeking revenge, or a disaffected director with their eyes on the customer database. Or it could be from viruses and other malware, that can spread through a poorly configured e-mail system. Remote access and Wi-Fi services could also provide the backdoors that let hackers in.
Why test?
Apart from highlighting where your weaknesses are, testing has other benefits!
- Regular testing can help you meet regulatory and industry compliance requirements (e.g. GFSC Cyber Rules, GDPR, PCI DSS)
- You are able to rectify vulnerabilities before they are discovered by attackers
- An independent review gives senior management and stakeholders a deeper level of assurance over the effectiveness of security measures
- Testing increases awareness of information security issues, and that knowledge and experience that can be incorporated into future system developments
How does it work?
A test plan is designed around your most vulnerable information assets. Websites, e-mail systems and remote access portals are common targets. Testing then follows a logical sequence:
- Foot-printing – research of online public records and resources to gain technical or personnel information for use in attacks later on
- Enumeration and scanning – probing live network devices to identify potential entry points
- Access attempts and escalation of privilege – we attempt to gain user-level access then raise this to administrator level. The many techniques include brute-force authentication attacks, buffer overflows, and leveraging sensitive information that has not been adequately protected.
- System compromise and trophy gathering – in the final stage we locate and acquire sensitive information like salary data, e-mails of senior management or customer credit card details
Tests may be run externally to simulate internet-based attackers, or internally, where the attacker is an employee or someone with physical network access.
Protecting the crown jewels
A test is not complete if it does not consider the internal systems that contain the corporate “crown jewels” that attackers are intent on stealing. For internal testing it is common to devise a set of attack scenarios that represent the most likely types of threat. These scenario-based tests are designed around simple questions like:
- What information could an inquisitive, but non-technical, temporary employee with limited access get to?
- If a malicious hacker was left alone in a meeting room what level of network access could they obtain in a short while?
- Could one online customer gain access to the details of another?
At the end of the test you will receive a detailed, easy to understand report of the security issues, their impact, and what you can do to fix them.
Specialst assessments
Tests can be refined further according to the system and information at risk. Other options include:
- Cloud platforms and virtual desktop breakout tests
- Web application security testing
- Physical attack and social engineering
- War-dialling / VOIP
- Wi-Fi assessment
- Testing of anti-malware defences, EDR and SIEM solutions