Based at the fundamental principle that prevention is healthier than cure, penetration testing (pen testing) is basically a data assurance activity to figure out if information is appropriately secured.
Conducted by penetration testers, sometimes often known as ‘white hats' or ethical hackers, they use an analogous tools and strategies because the bad guys (‘black hat hackers'), but in a controlled manner with the explicit permission of the objective organisation. The purpose of the exercise isn't just to determine whether it's possible to damage through an organisation's defences, but to spot the breadth and depth of vulnerabilities.
Naturally, a main focus is offering detailed and accessible recommendations to enhance an organisation's overall security posture. Other than assessing the danger of the more technically oriented findings, typically root cause analysis would be provided as portion of a report; this tends to be more business focused around shortcomings within the organisation's overarching information security strategy â€" examples include why a password policy is inadequate, or highlighting inconsistent patch management.
Any organisation with sensitive information along with customer data, personally identifiable information, payroll data, payment card data, intellectual property or trade secrets should probably be incorporating penetration testing within their wider governance, risk and compliance activities.
One of the prominent drivers for conducting regular pen testing is PCI-DSS compliance, which outlines requirements for penetration testing activities to validate the safety controls in place. Other drivers include businesses desirous to validate the resilience of a brand new IT environment or even following an important change: fundamentally it's driven by the need to make sure the company's assets and knowledge are well protected against attack.
We know that being the victim of information breach can impact a business's top-line revenue through negative press, and in some industries, the danger of regulatory fines is additionally at play â€" nobody desires to become the subsequent data-breach headline.
Those companies with more mature approaches to security will are inclined to have proactively incorporated using pen tests into their strategy and feature a comparatively clear roadmap before everything of the year, commonly including the network environments and most crucial web applications that require pen testing, how frequently they must be tested, and when.
Others adopt an ad hoc approach, sometimes prior to a brand new system goes live or as portion of their annual PCI review. The latter frequently just specializes in the infrastructure linked to payment card data and will leave the rest of the network untested.
Vulnerability scans versus pen testing
A common area of bewilderment is the connection between vulnerability scanning (automated) and pen testing (expert driven manual testing). Both involve a proactive and concerted try to identify vulnerabilities which could expose the organisation to a possible malevolent attack.
Vulnerability scanners are great at identifying ‘low-hanging' vulnerabilities, like common configuration mistakes or unpatched systems, which give a very easy target for attackers. What they're unable to work out is the context or nature of the asset or data in danger, but also they are less able than humans to spot unknown unknowns (things not already at the risk register, or not theorised by the organisation as potential security issues).
Good pen-testing teams, however, try this okay. For example, we've had countless engagements where previously an atmosphere was only vulnerability scanned, and when we've conducted a pen test of that very same environment, we've managed to compromise a lot of systems, gained unauthorised domain-administrator or root access to systems, and ultimately gained unauthorised access to sensitive data.
One final distinction is that vulnerability scans are unable to process specific sorts of security issues, corresponding to subtle business logic flaws which might require a human's understanding of the way a selected workflow or process is meant to work so as to exploit it.
In truth, both are required, vulnerability scanning as a frequent, e.g. monthly or quarterly, baseline activity; and pen testing because the more detailed exercise; perhaps a couple of times per year, counting on the peace of mind objectives. The purpose is that an experienced security tester, ethical or not, often finds critical and high-risk vulnerabilities in environments that often undergo automated vulnerability scanning.
Different kinds of pen tests
The commonest kinds of tests are either directed at network infrastructure or a selected application. A network pen test typically includes entire networks and lots of hosts, sometimes crossing over geographical boundaries. The kind of testing can also be both external against internet-facing servers and supporting infrastructure, and internally against internal corporate information systems assets, including servers, workstations and IP telephony systems.
Application testing, however, involves a targeted assessment of anyone, usually web-based, application. The applying could also be accessible simply to the company's own employees, third parties or partners, or it can be facing the web and available to all, similar to an e-commerce website.
Conducting this kind of testing would require the authentication credentials so each role or privilege level inside the application might be tested. It will enable the tester to make sure that for any given user role, that role cannot create, read, delete or update data in an unauthorised manner.
Most organisations possess numerous web-based applications, not only the company website, that may be a potential entry point for attackers. Our recently published global security report, which gleaned results from 2,000 manual pen tests globally, revealed that ‘SQL injection' and ‘business logic' flaws are the commonest web-based vulnerabilities that we often identify.
Choosing a pen tester
Clearly choosing a trusted partner to conduct pen testing is itself a sensitive matter and the realm of pro penetration testing continues to be relatively new and somewhat unregulated. For example, it lacks a central governing body on professional standards compared to more established professions, reminiscent of financial auditing.
Some accreditations do exist, comparable to those offered by CREST (Council of Registered Ethical Security Testers), nevertheless it is a chiefly UK-centric accreditation at both company and individual level.
Given the relatively low barrier to entry for organisations claiming to be expert penetration testers, reputation and industry standing are of extreme importance when selecting a provider. While there are many high-calibre individuals working for boutique security consultancies, organisations should seek well-established penetration testing providers with well-documented methodologies, careful recruitment policies, established references and track record for delivering the total spectrum of advanced technical security services.
By incorporating pen testing activities as element of a much wider information security strategy, organisations can validate the robustness in their security controls and identify as yet unknown risks to their business. The result of a pen test and guidance provided help organisations to raised protect sensitive data from falling into the inaccurate hands.
John Yeo is a director of Trustwave SpiderLabs EMEA
Nessun commento:
Posta un commento
Comments links could be nofollow free