The Importance of Continuous Penetration Testing (FAQ)

What is ‘Pentesting’?

Penetration testing, also known as ethical hacking or pentesting, is a cyber hacking simulation exercise on a computer system. This aims to find vulnerabilities that malicious hackers can potentially exploit. Simply put, it is as if one were to hire a hacker to hack your computer system (servers, web and mobile applications, data on a cloud and network etc.,) to find any weaknesses or potential gaps that can be bypassed or compromised by a potential attacker. Pentesting, therefore, helps to improve the security posture of an organisation.

 

How does penetration test work?

1. Planning: Involves defining the priorities, scope and goals, etc., together with all relevant stakeholders.

2. Threat modelling: Process by which potential threats such as structural vulnerabilities (this refers to system architecture flaws) or the absence of appropriate safeguards can be identified and mitigating actions taken.

3. Scanning: Involves identifying potential vulnerabilities on the target system with automated tools. However, this may not necessarily be an automated process, although a large percentage of this is automated as there are also some manual ways of looking/probing the system depending on the requests and responses received back from the target system.

4. Exploitation: This involves exploiting the vulnerabilities identified during scanning in order to gain access to the system. Exploitation includes privilege escalation, stealing data, intercepting traffic, malicious code injection, etc., to the system.

5. Reporting: All the findings, including supporting artefacts or evidence, attack narratives, implications and recommendations, will be documented in a complete in-depth report.

6. Peer-Review & QA Process: A peer-review among the consultants and seniors is usually done. After satisfactorily passing the review, the draft report would be sent to Quality Assurance supervisors to vet for accuracy and approval before the report is finally sent out to the customer.

7. Remediation and Support: Post-review to verify if the findings are resolved or not.

 

I have a good IT team and the best security system. Do I still need to conduct pentesting on my systems?

In 2020, SolarWinds was hacked by a group of rogue hackers. As a result, the cybersecurity of multiple US government agencies such as the Pentagon, Department of State, Department of Treasury, etc., and around 400 of the Fortune 500 companies like Intel, Nvidia, Cisco etc., were compromised as they were customers of SolarWinds. Most of these companies and public agencies have teams of cybersecurity experts and adopt the best security systems, yet they too fell prey to hackers. The reason for this is that hackers are continually devising more highly sophisticated ways to steal, manipulate or delete sensitive data.

Therefore, it is imperative that companies should conduct regular and continuous pentesting on their IT security infrastructure as part of their due diligence. Pentesting improves the security posture of an organisation and enables a company to,

  1. Identify gaps in security before a hacker does and provides steps for remediation,
  2. Comply with security obligations that are mandated by industry standards and regulations,
  3. Avoid costly data breaches and impact on business operations, and
  4. Mandate the confidence and trust of customers, suppliers and partners.

It is well noted that pentesting may also be a requirement by a company’s partners, suppliers, customers or regulatory authority. In addition, such assessments or reports are usually required to be made available. Hence, a “third-party independent review” by an accredited organisation with certified testers is crucial for the organisation’s ongoing security posture.

 

I am currently using a vulnerability scanning tool to test our system. Would this be sufficient?

Simply put, vulnerability scanning is similar to someone checking if the door to his house is locked properly. However, a penetration test is similar to the same person examining if there are any loopholes in the lock mechanism, attempting to open the door and, if possible, go inside the house. Besides just testing if the door can be lockpicked or bypassed, the test will also encompass looking at other attack surface such as the windows of the house, the grilles at the kitchen, roof access, etc., can also be broken into easily or via some technical means.

Vulnerability scanning identifies potential vulnerabilities in one’s system, but it does not exploit the vulnerabilities and merely focuses on finding known and potential vulnerabilities. On the other hand, pentesting attempts to find loopholes and actually exploit them. The latter simulates a real-world cyberattack and provides a more thorough examination of the system.

         

 

Will penetration testing be disruptive on my system? Some of the assets need to run 24/7.

Unlike a vulnerability assessment where automated scans and sweeps are conducted across a segment, a penetration test is precise and targeted so the level of “testing traffic noise” is minimised. That said, anything can possibly happen on the target i.e., due to downed services, unresponsive server or backend database response, etc., which may or may not be caused by the test.

Therefore, a penetration test exercise, when planned, should be approached methodically with the relevant stakeholders/owners of the systems. A backup snapshot should be taken prior to the exercise, person-in-charge (PIC) from both sides, i.e., customer and tester, should be made contactable or available during the course of the testing (if a cease and desist decision need to be made), fixes/updates, modifications and amendments to the applications in-scope should be frozen during the period of the testing window. That is why a Test, Development, UAT/SIT environment is the preferred environment for the penetration test exercise, but the application in the test environment should be reflective of the production application (with regards to the code baseline, major and minor versions). The data used in the test environment should be sanitised/redacted dummy data.

 

My system is on a Cloud. Do I still need pentesting?

Your cloud provider has no control over your system and services. They are only a service provider, although some of these companies do offer anti-DDOS mitigation as a basic protection layer. Vulnerabilities can still very well exist if security has not been designed into the application. Penetration testing is focussed more on the application layer and targets potential threats that can be uncovered and disclosed. Therefore, it is imperative and your responsibility to secure your systems.

 

Pentesting has been done on my application(s) and/or system(s). Are these application(s) and/or system(s) safe now?

This question can be considered in different takes. Yes, it can be possibly considered “safe” only when the highlighted issues/findings have been identified and steps are taken to remediate. And no, it may not be technically feasible to assume that an application or system can be totally “safe” given enough time and resources for attackers to eventually compromise the target if proper cyber hygiene protocols have not been practised. Do note that for every penetration test conducted, it is always a time-boxed event, meaning that it is a point-in-time test. However, our systems are changing every minute due to updates, fixes, data changes, new software, new risks being discovered, etc. Threats are ever-evolving. Cybersecurity is not a one-time task. It should be a continuous improvement cycle of process and embedded into the culture of the organisation in order to keep your system as resilient as possible.

Annual pentesting is recommended to test an organisation’s system and overall security as well as to improve awareness amongst staff. We need to be conscientious to minimise the possibility of potential and new cyber-attack vectors.