There are several types of testing in the IT market, each meant to address different aspects of security, operations and compliance. Penetration testing is a practice that can often span many of these aspects in meaningful ways, by providing security and system awareness across almost any facet of your organization’s technical operations.
Here, we’ll start with an intro to the concept of penetration testing. In the near future, we will start to dig into the details of penetration testing for compliance, but here we will introduce some of the basics of what penetration is and why it is important.
Why is Penetration Testing Important for Compliance and Cybersecurity?
One of the primary concerns for both compliance regulations and cybersecurity hygiene is the understanding of potential vulnerabilities that could lead to security breaches. Generally, vulnerabilities can fall under three general categories:
- Technical: The bread and butter of security, technical infrastructure vulnerabilities stem from digital technology itself. Vulnerabilities can pop up nearly anywhere: poor API security, misconfigured network security, poor application authentication, insufficient Identity and Access Management (IAM), or any combination of the above. If there is a place where a hacker can take advantage of technical weaknesses to break into a system falls into this category.
- Physical: While we live in a largely digital world, our digital tools and environments are built on physical systems like data centers, local computers, routers and so on. Hackers with the right access can outflank technical security simply by going to the source and breaking into a system there. This can include technological breaches like unauthorized access to server rooms or workstations or even social engineering practices like dumpster diving for passwords or other information.
- Administrative: Alongside physical systems, our IT infrastructure is run by, operated on and used by people. Accordingly, these people can prove a weak spot in digital defenses. Phishing attacks focus primarily on fooling people into giving up credentials. Likewise, poor security practices that continue without correction or training leave systems vulnerable due to ignorance of good cyber hygiene and security practices.
Penetration testing is the process of finding weaknesses in any and all of these categories and exploiting them to demonstrate their existence. Unlike more theoretical or automated assessments of vulnerabilities, as they exist in a system, a penetration test leverages all the potential attack surfaces and modern security threats available to expose vulnerabilities and suggest remediation.
This doesn’t mean that the organization undergoing the pen test is being hacked. Instead, the penetration testers will go so far as to prove how deep into a system they were able to get and then show their results.
With that being said, the party providing the testing can vary. There are five different types of penetration testing:
- External Testing: As the name suggests, a person or organization performs tests on external, public-facing systems to determine vulnerabilities. This can include a security firm testing from a remote office or white-hat hacker launching attacks in order to locate and report security gaps.
- Internal Testing: Much like external testing, internal tests will usually (but not always) involve a third-party tester with access to internal systems. Unlike external testing, an internal test can help test for insider threats or other gaps.
- Open-Box Testing: A testing scenario where the hacker has some level of information about the systems they are testing.
- Closed-Box Testing: A testing scenario where the hacker has little or no information about the system they are testing.
- Covert Testing: A testing approach where the security firm or hacker tests systems without anyone in the organization knowing.
Each approach to pen testing can provide some knowledge as to what your vulnerabilities are. A hacker performing a closed-box test, for example, could model the experience of a hacker in the wild attempting to probe system weaknesses. Likewise, a covert test would give the testers a more authentic understanding of the day-to-day activities of employees and your IT and security team.
Depending on your industry and regulations, penetration could be a smaller or larger part of your organization’s cyber hygiene. Many regulations require penetration testing at some stage of authorization or certification, but many organizations elect to undergo penetration testing on their own just to best understand their security weaknesses.
What are the 5 Stages of Penetration Testing?
When you work with a company providing penetration testing, they will often follow a standard 5-stage process. The stages of this process include:
- Planning and Reconnaissance: At this stage, you work with the company to plan the test. Even in tests where hackers or your IT team don’t know much about the systems in question, business, technical and compliance leadership must have a plan in place to measure success and failure for the test. These conditions would necessarily include organization-specific goals, compliance requirements and other factors.
- Scanning: Here, hackers/testers will begin to ascertain the contours of your system. They will problem system resources, including application code, network systems and other areas to determine how your organization will react to different types of threats, potential or otherwise. This probing will give the testers an idea of how your system reacts to threats.
- Access: A full-out attack, at least in terms of gaining access to your system, usually through the approaches that many of us are familiar with; SQL injections, cross-site scripting, and even social approaches like phishing or installing backdoors through third-party software.
- Maintenance: Once access is gained, the testers will attempt to maintain their access and expand control throughout the system. Persistent presence is one of the most damaging aspects of a breach because an unknown threat can steal information and infect other systems, often unknown, for months before detection.
- Analysis: After the predetermined time frame, the testers provide a complete analysis of their findings, their success and failures, and places where remediation is called for.
These tests, depending on their scope, can become quite complex. This is particularly true when considering the overlap of potential attack surfaces. A 100% technical assault might determine weaknesses in an IT infrastructure, but miss a poorly secured email system that doesn’t alert employees and, thus, opens the door for phishing attacks.
Automated and Expert Penetration Testing with Continuum GRC
Penetration isn’t just a security test: it is a complete understanding of the gaps in your security and compliance strategies and infrastructure. While some practices and tests are integral to compliance, penetration tests are the cornerstone of many frameworks and strong cybersecurity audits. More likely than not, if you operate IT services in any capacity, then you will undoubtedly want to undergo penetration testing. Learn how compliance, automation and penetration testing can become the cornerstone of your security strategy.
Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.