Cyber security is a business concern that goes beyond investing in hardware and software. Relevant regulations and standards globally indicate in strong terms that the leadership is accountable for cybersecurity. That is why discussions of cyber risks take place at the board level and should include applying the appropriate response to all identified risks – avoid, accept, mitigate or transfer – as well as reviewing specific plans associated with each approach. In carrying out these reviews, a holistic approach should be considered covering people, processes and technology. This is to ensure that an effective cybersecurity strategy is adopted in the organization.
To identify the risks to be discussed at the strategic level, a cybersecurity risk assessment should be carried out periodically. There are three major types, namely:
- Cybersecurity audit
- Vulnerability assessment
- Penetration testing
While cybersecurity audit evaluates and demonstrates compliance with some narrow, specific regulatory requirement, vulnerability assessment evaluates the network, hardware, software, and processes against a list of known vulnerabilities and best practices. On the other hand, penetration testing is a simulated cyberattack against your computer system to check for exploitable vulnerabilities. The assessment involves attempting breaching of any number of application systems, (e.g., application protocol interfaces (APIs) frontend/ backend servers) to uncover vulnerabilities, such as unsanitized inputs that are susceptible to code injection attacks.
This piece shall focus on the fundamentals of pen testing assessment to make clear its importance in the identification of cyber risks on your infrastructure in order to satisfy some of the compliance requirements from security standards including ISO 27001, PCI DSS and SOC 2.
It is a known fact that many attacks performed over the systems on the Internet are made in the application layer due to the easiness of launching such attacks and the lack of app protection. Pen testing is the most efficient way of verifying the effectiveness of security measures put in place to protect your infrastructure.
Pen Testing Stages
These steps are followed typically during pen tests:
- Planning and preparing
- Collecting and analyzing information
- Detecting vulnerabilities
- The actual attack against systems
- Reporting and analyzing vulnerabilities that were found
- Cleaning applications and systems
Pen Testing Methods
- Black box: Here, the tester simulates a real attack from outside based only on public information, with low aggression. It seeks to target the assets of a company that are visible on the internet, e.g., the web application, website, email and domain name servers (DNS). The goal is to gain access and extract valuable data.
- Grey box: Here, the pen tester has limited information from the client and the rest also from the public source. Here, a tester is only given the name of the enterprise that’s being targeted. This gives security personnel a real-time look into how an actual application assault would take place.
- White box: Here, the client offers inside information for the systems and application targeted or offers a copy of them, in a controlled environment, so the tests can be more aggressive and this way you can review each component even if they can be publicly accessed or not. The tester having access to an application behind its firewall will simulate an attack by a malicious insider. This is not necessarily simulating a rogue employee. A common starting scenario can be an employee whose credentials were stolen due to a phishing attack.
- Double Blind: In a double-blind test, security personnel have no prior knowledge of the simulated attack. As in the real world, they won’t have any time to shore up their defences before an attempted breach.
- Targeted Testing: In this scenario, both the tester and security personnel work together and keep each other appraised of their movements. This is a valuable training exercise that provides a security team with real-time feedback from a hacker’s point of view.
A one-time penetration test is not adequate to cover the security posture of the systems or network because the business environment is dynamic – changes do occur. Some vulnerabilities could appear after updates, the installation of a new software or reconfiguration of the system. This is the main reason that periodic pen tests and security audits along with constant monitoring are the most efficient in enhancing the security posture of an organization.
However, Audits, vulnerability assessments, and penetration tests are all designed to evaluate the strength or weakness of the software, hardware, processes, and channels over which valuable company information flows. While each server and network, a company uses, have costs associated with them, those are the costs of the containers, and not the value of the information stored. In contrast, the value of the information itself is the value of client records or the value of a trade secret. This is where audits, vulnerability assessments and penetration tests fall short. Hence, the need for disaster recovery plan and business continuity plan.