Penetration testing is one of many tools available to organisations to evaluate the effectiveness of their layers of cyber controls.
Organisations have always been exposed to a wide range of types of risks, but over the last 15 years, cyber risk has become one of the top 3.
According to The Centre for Strategic and International Studies (CSIS), almost $600 billion (or nearly 1% of global GDP) is lost to cybercrime each year, and according to the Identity Theft Resource Centre, over 300 million individuals were impacted by publicly reported data breaches in 2020.
In response to the growing cyber threats:
- organisations have increased cyber security expenditure and adopted internationally recognised better practice guidelines and information security standards such as ISO 27001,
- lawmakers have introduced various data protection laws across local and international jurisdictions, and
- regulators such as APRA and ASIC have made it clear that cyber risks are the responsibility of the board and directors as cyber risks are a foreseeable risk.
It is clear, that organisations have an obligation to meet higher information security standards and achieve cyber resilience. Information security standards and regulations require independent or external penetration testing to be performed to ensure vulnerabilities are captured and remediated.
What is a penetration test?
When it comes to cyber security, it is unlikely that any information system is perfect 100% of the time. No matter how much money you spend or how effective your controls, there will always be a level of residual risk. Why? The dynamic nature of information technology and the need for constant change means many vulnerabilities can exist in operating systems, service and application flaws, improper configurations, new changes/updates or risky end-user behaviour.
A penetration test, also called a ‘pen test’, is a method of evaluating the security of an information system and/or infrastructure by seeking to identify and exploit vulnerabilities to gain access to systems and data. Specifically, ISO 27001 requires an “organization’s exposure to such vulnerabilities be evaluated, and appropriate measures taken to address the associated risk.”
Penetration testers, also known as red team ethical hackers, evaluate the security of information technology systems and infrastructure using a controlled environment to safely plan, discover, attack and report vulnerabilities – depending on the scope or objectives of the pen test.
A penetration test is like asking someone to attempt to break into your home, office or car. In doing so, the ethical hacker provides you with a report of the weaknesses identified.
Key questions directors should ask regularly
Here are some critical questions for directors and senior management to ask to ensure the penetration testing is appropriate for their organisation:
1. How often should pen tests be performed?
Pen testing should be performed on a regular basis (at least every 12-18 months) and even more frequently in high risk sectors, when there are known vulnerabilities or when various components of the information system change.
If directors and board committee members are not seeing frequent reports and updates relating to pen testing, it is a red flag.
2. Is a pen test different to a vulnerability scan?
Yes and both are valuable. Vulnerability scans are automated tools that examine part of an environment depending on where they are placed. They sometimes automatically resolve the vulnerabilities uncovered. They are relatively quick to perform, and some vulnerability scans can compare systems against over 50,000 unique external and/or internal weaknesses.
A pen test however is a detailed hands-on examination by a person (an ethical hacker) who tailors a custom approach to try to discover and attack weaknesses in your system. The person thinks and acts like a hacker, but does not capitalise or hold you ransom on the weaknesses identified.
3. What is the objective of the pen test?
It is critical to understand why your organisation requires penetration testing as this could drastically impact the cost of the pen test. Understanding the objective of pen testing will set a clear scope for an external pen tester/vendor to provide precise pricing. If the testing is for compliance purposes, consider what legal or regulatory guidelines stipulate for the scope of testing. If the testing is to fulfil the requirements of a stakeholder, consider what depth of testing they require of you to satisfy their requirements.
If determining the scope of testing is complex, don’t be afraid to ask penetration testing vendors to assist in scoping the exercise. As part of the quotation process, this is a free service and will also help your organisation better understand what it is trying to achieve. This request will also quickly identify if the vendor has experience in specific standards and what the requirements are.
4. What type of testing is required?
Once a clear scope is defined, it is necessary to understand the common types of testing and how they will impact pricing. The three most common types of penetration testing are:
- Black box testing (unauthenticated) – External vulnerability testing to see if an attacker can access an unknown system without user credentials.
- Grey box testing (authenticated) – Internal testing to try and determine if a user can elevate their privileges to perform unauthorised tasks.
- White box testing (authenticated) – Internal testing to try and determine if a user can access other systems or devices within the organisation.
Commonly, for a specific application test or system test, Grey box and White box testing are combined and a vendor will offer Black box testing only or Black box + White box testing. The cost difference between the two is substantial. If external testing is the only requirement, opt for Black box testing and save more than 50% on the cost of the exercise. However, this is generally not recommended. If an external attacker gains access and critical internal vulnerabilities have never been tested, this could allow an attacker to seize control of the infrastructure. Internal testing prevents cross-access and cross-scripting so that even when an attacker gains access, they may not be able to get very far before being contained.
While it is cheaper to choose Black box testing only, we only recommend this for infrequent or ad hoc exercises, or when no significant changes have occurred since the last White box test that could impact vulnerabilities.
5. What qualifications does the pen testing vendor have?
It’s important to select a pen tester/vendor that not only has experience and understanding of applicable standards, but also evident certifications in recognised programs. A vendor should be able to show proficiency in at least some of the following or equivalent certifications:
- CISSP – Certified Information Systems Security Professional
- CEH – Certified Ethical Hacker
- CPTC – Certified Penetration Testing Consultant
- CPTE – Certified Penetration Testing Engineer
- OSCE – Offensive Security Certified Expert
- OSCP – Offensive Security Certified Professional
- SANS GPEN – Global Information Assurance Certification Penetration Tester
- CREST – Not-for-profit certifications
6. How much does pen testing cost?
It may seem quite obvious, but the cost of pen testing is an important consideration. While it seems like a new practice to some, penetration testing has been around for decades. This has allowed the industry to develop consistency in pricing across vendors and standards for the kinds of inclusions and packages. What this means is that for the most part, cost will reflect experience, capability and inclusions in the quotation. The more you pay, the greater the customer experience, depth of findings and post-testing remediation support.
Vulnerability scans are likely to be less expensive as they are automated scripts, automated analysis and automated reports.
Like most services, never select a penetration testing vendor without coordinating at least three quotations from completely independent vendors. Be sure to compare the inclusions, especially the post-testing remediation support. Many higher priced vendors will provide remediation steps and even validate remediation of critical vulnerabilities for free before providing a report.
7. Will the test impact production or users?
If an application or system specific penetration test is being performed, it is best done on a sandbox or test version to ensure production users or staff are unaffected. If this does not exist, the vendor should be capable and willing to perform the test at a time that will not impact service delivery. Thanks to mobile and collaborative workforces, many vendors are capable of performing services around the clock thanks to having pen testing teams in various time zones.
If a sandbox or test environment does exist, consider the availability of the vendor during a slow cycle in a calendar year to prevent any secondary impacts, such as a server crash or reboot affecting production.
8. What happens after the pen test?
As the purpose of the pen test is to identify security gaps, fixing the gaps should be the next step.
The results of the pen test are typically presented in a report, similar to any other audit report. The issues identified can be very technical in nature and analysis is required to help translate the significance of the gaps, priorities, actions, benefits and costs to remediate. It is important to get buy-in from the board and ownership of the agreed actions from management.
Once the gaps are remediated, testing again can be valuable to ensure effective remediation, remembering that some vendors may offer this as part of the pen testing package.
Pen testing is an extremely valuable control. These questions can help guide organisations during the design of the penetration testing, vendor selection process and when evaluating the results.
How we can help you be more cyber resilient
We are here to help strengthen cyber resilience. Our cyber risk management capabilities include designing and developing a cyber risk management framework and a wide range of response plans to enhance your cyber resilience capabilities. Our cyber risk management services include:
- Cyber Security Gap Analysis
- Cyber Risk Governance Framework Review
- Cyber Risk Governance Framework Development
- Third-Party Vendor Review and Cyber Risk Analysis
- Cyber Risk Awareness Training and Internal Campaigns
- Email Phishing Campaigns
- Cyber Incident Response
- Post-Cyber Incident Review
- Crisis Team Familiarisation Training
Be more resilient to a wide range of cyber risks and contact us to discuss how we can help strengthen you cyber resilience framework.