What is the purpose of penetration test?
The concept of penetration testing generates numerous questions for organisations. That is entirely reasonable. The testers request permission to attempt to circumvent your network’s security restrictions. They will engage in activities that are indistinguishable from actual cyber-attacks.
Prior to agreeing to a simulated attack on your organisation’s network infrastructure, it is important to understand its purpose. What will your IT team take away from it? What concerns must they address for the sake of long-term development?
There is no universal solution for all organisations. Penetration testing service providers like Privacy Ninja employ a number of techniques based on the organisation’s security requirements and goals.
What penetration testing is and does:
The underlying denominator is that penetration testing, also known as ethical hacking, identifies cyber security flaws by mimicking attempts to circumvent protections. A genuine attacker could exploit the same vulnerabilities if the test is successful. Pen testing may be conducted on a production system, or a system reserved for testing.
The tests may be automated, manual, or a hybrid of both, and the testers may utilize a combination of both. Comprehensiveness and consistency are advantages of automated technologies. They address all concerns that are likely to develop in a given context. The tests are reproducible, allowing for the measurement of progress and the comparison of various installations. Manual testing permits testers to rely on their instincts. Every website is different, and testers may identify potential vulnerabilities that the standard suite does not cover.
Assessing your organisation’s cyber security requirements
The initial step is to evaluate the target. The testers will utilize any information provided by the client and may conduct their own investigation. They will establish acceptable approaches, such as selecting an adequate test suite or developing bespoke tests that target anticipated flaws.
They will attempt to breach the target systems armed with this preparation. In rare instances, with the client’s agreement, this may involve a physical effort to break into the premises. The testers avoid causing actual damage to the target systems, and they safeguard any confidential data they expose as thoroughly as the test site would. Other than hurt egos, skilled, honest testers rarely cause damage.
Customizing penetration testing for your business
The ultimate objective is to identify and eliminate security vulnerabilities of your organisation. To tailor it to your circumstances, you must answer the following assessment questions.
- Which types of dangers cause you the most concern?
- Are there special compliance requirements based on the work you perform and the data you manage?
- What degree of data protection do you require?
- What risks are inherent to the nature of your business?
Also Read: Understanding the mandatory data breach notification of Singapore
Determining your organisation’s cyber security objectives
After evaluating your needs, you may translate them into goals. You might be concerned primarily with evaluating your technical defenses, such as web application firewalls (WAFs).
There may be a specific web application you wish to evaluate. You may wish to ensure that a given sort of information (such as HIPAA-protected health information) is adequately protected. The human element may be the most crucial, and you must observe how individuals react to phishing and other scams.
Each aim requires a unique scenario for security testing. Different approaches will have distinct objectives and methodologies. They differ in methodology and scope. Here are some possible cases:
- Objective: Determine if your external controls adequately mitigate risk and keep out bad actors. Method: Tailor assaults to the weaknesses of specific controllers.
- Objective: Evaluate your complete attack surface and find any vulnerabilities in equipment that face the outside. You need to establish whether or not your computer systems are secure, even if an attacker breaches the firewall. Method: Target flaws that are prevalent in desktop and mobile devices. This may necessitate allowing testers to breach the firewall.
- Objective: Evaluate the judgment of users in their responses to fraudulent emails and other forms of communication. This is a test of individuals, not technology. Method: To circumvent physical protection, send customized phishing messages, make phone calls, and maybe make in-person visits.
- Objective: Evaluate the effectiveness of the security strategy to see if its specified measures create an effective defense when followed. Method: Examine the security policy, search for vulnerabilities, and design tactics to exploit them.
The main objective of a penetration test
The ultimate objective is to pinpoint security flaws in a network, system, or piece of software. Once identified, system or software administrators can delete or decrease vulnerabilities before hostile parties discover them.
“Security” is not restricted to the resistance of equipment and software to penetration attempts. Additional aspects include:
- The effectiveness of the security policy of an organization. It may have vulnerabilities that can be exploited by attackers when employees follow the rules. In other instances, employees may not comprehend the policy adequately. You may discover that your company has to change its policy or enhance its training program.
- Compliance with regulatory standards. Specific sorts of safeguards are required by HIPAA and PCI, among other regulations and standards. Infractions may result in hefty fines or the loss of business privileges and possibilities. A penetration test can assist in determining whether the protections are in place and functioning properly.
- Employee security consciousness. Some experiments examine employee responses to phishing and social engineering. They can demonstrate the effectiveness of training and identify employees who require extra reminders. The examinations may show areas that the instruction did not cover.
- Incident response efficacy. Even in well-protected workplaces, security incidents will occur. It is essential to evaluate how successfully IT and security employees react to them. This strategy is most effective when those handling the situation do not know whether it is a test or an actual attack.
Reporting pen testing results
The client report is an integral aspect of the procedure. A skilled penetration tester will describe the testing methodology employed, the vulnerabilities discovered, and their severity. The report will allow you to prioritize the issues and address the most obvious ones first.
After corrective action, the examinations might be repeated. Organisations will be able to determine how much progress was made and whether any new security vulnerabilities were established.
The remedies will consist of bolstering configurations, educating staff, replacing unpatched operating systems and application software, and resolving problems. Testing should be performed on a periodic basis to gauge the progress made in securing systems.
Case study 1: The need to conduct a periodic security review by Audio House
In one of the cases of PDPC Incidents and Undertaking involving Audio House, the organisation notified the PDPC that its customer database had been subjected to a ransomware attack. With this, approximately 98,000 individuals’ names, addresses, email addresses, and telephone numbers, in the nature of contact information, were affected.
Upon investigation, it was found out that the PHP files used to develop a web application on its website contained vulnerabilities that allowed a malicious actor to carry out an SQL injection attack. With this incident, Audio House was ordered to pay a financial penalty of S$10,000.
What we can get from this case is the importance of conducting a periodic security review. This would include vulnerability scanning and assessments, which would allow the organization to detect vulnerabilities that were not detected during the pre-launch tests or any vulnerabilities that may have arisen.
Case study 2: Quoine’s breach of the Data Protection Obligations
This is also what happened to Quoine. On November 17, 2020, the organization informed the PDPC that its domain manager had transferred control of its domain hosting account to an external actor, and such actor accessed and exfiltrated the personal data of 652,564 of its customers. The PDPC also received a complaint from an individual who was believed to have been affected by the incident.
Investigation revealed that Quoine had contracted with a third-party Domain Provider to register and host the Organization’s domain. However, social engineering attacks on the staff of this domain provider allowed them to mistakenly hand over control of the organization’s domain hosting account to an external actor.
This incident allowed the external actor to access the Organization’s Cloud Platform, which contained API keys and tokens for the Organization’s cloud-hosted database as well as a separate cloud computing storage database. As a result, the external actor was given access to the Databases and was able to access and exfiltrate the personal data that was kept there. With this incident, the organization was ordered to pay a whopping S$67,000 for the incident.
What we can get from this case is the importance of carrying out periodic security reviews to ensure that the organisation’s websites collecting personal data and electronic databases storing personal data have “reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. This is also to detect any vulnerabilities and assess security implications and risks.
Also Read: Guarding against common types of data breaches in Singapore