The perils of penetration testing
Monday, August 16th, 2021 in: News
Penetration testing is widely acknowledged as an important part of cyber security, but, like any security mechanism, it is not perfect and should not be done in isolation. It is essentially a controlled form of hacking in which a professional pen tester uses the same techniques as a criminal hacker to search for vulnerabilities in the company’s networks or applications.
Many organisations conduct annual penetration tests. Afterwards, they assume that they will be safe, that the test will find all vulnerabilities, and that a single pen test is enough. However, a pen test only provides a snapshot of your cyber defences at the time the test was conducted. It is the equivalent of checking the locks of your high-security building’s premises only once a year.
The basic building blocks of a coherent cyber security strategy: Identify, Defend, Protect, Respond and Recover are far more important. Pen testing can provide a part of this strategy, particularly in the Identify and Defend areas, but is just a snapshot.
Types of pen testing
The amount of access provided to the Pen tester can have a huge influence on its outcomes. Tests typically fall into one of the following categories:
- White box penetration testing. This involves sharing full network and system information with the tester, including network maps and credentials. This helps to save time and reduce the overall cost. A white box penetration test is useful for simulating a targeted attack on a specific system utilising as many attack vectors as possible.
- Black box penetration testing. This is the most expensive option and no information is provided to the tester who will follow the approach of an unprivileged attacker, from initial access and execution through to exploitation. This can be seen as the most authentic, demonstrating how an adversary with no inside knowledge would target and compromise an organisation.
- Grey box penetration testing. Limited information is shared with the tester, typically login credentials. Grey box testing is useful to help understand the level of access a privileged user could gain, and the potential damage they could cause. It can be used to simulate either an insider threat or an attack that has breached the network perimeter.
Limitations of Pen Testing
- They provide a false sense of security. If the tester finds no point of entry, this does not mean that your security system is perfect, nor that it will remain perfect in the future. Its results are only valid for a specific point in time
- If they’re not done right, they can create a lot of damage. Tests that are not done properly can crash servers and expose sensitive data
- If you don’t employ realistic test conditions, the results will be misleading
- Remediation actions must be taken immediately after receiving the results
- Employees are likely to prepare for a test that they know is going to take place leading to an unrealistic positive result
- A genuine attack will come without warning and in ways that are creative and hard to plan for. The best defence is a comprehensive cyber strategy that includes but is not limited to pen testing
To understand how Pen Testing can be used most effectively to protect your business contact Astaara