The Dos and Don’ts of Penetration Testing
The BBC recently had a server hacked by a Russian cybercriminal, who attempted to sell access to it on the black market. The FTP server is connected to most other servers on any given network, as it facilitates the transfer of internal files - if someone gains access to it they are free to roam your entire network. The exploitation of internal files is obviously a huge risk for any organisation, not least the BBC, and this security faux pas is a solid example of why penetration testing is crucial.
Penetration testing replicates the actions of a potential hacker; finding and exploiting vulnerabilities in an organisation's security practices, be them internal or external; before any real damage can be done to the business. Pen testers look for security weak spots in the business, both human and physical, and instead of just reporting on these weaknesses they dig deeper into the system to identify further potential flaws, before a malicious hacker gets there first.
Most organisations have a set of security procedures in place, but without testing there is no way of knowing how effective they really are at protecting against attack. Compliance is increasingly important when using cloud services, with many customers now requiring certain security accreditations from their service providers in order to go some way in proving their credibility. Penetration testing is a reliable way to test and validate a company's security best practices.
But it shouldn't just be a matter of simply ticking the compliance box. Just because on paper you meet compliance requirements, this doesn't always equate to a watertight environment. All too often, testing is carried out in response to a security breach, but in reality it should be a preventative measure, and carried out on a regular basis. Some people think of pen testing like their annual medical physical with the doctor. Even if you appear to be the picture of health, your doctor runs some tests to identify any underlying health problems that aren't showing symptoms yet.
To get the most out of your testing, and prevent against data loss through malicious attacks or human error, you need to act on your results. Once you have devised an action plan to counteract any weak spots you've identified, this plan should be communicated throughout the business – you can't expect your team to change the ways in which they work if they're not aware of how their behaviour affects the overall security of sensitive data.
Do your research before hiring an external penetration tester. Ask questions about their preferred methodologies, experience and qualifications – not every tester will be suited to your needs. Consider the pros and cons of white-box versus black-box testing. White-box testing involves a lot of communication between you and the tester, and requires you to share information before the process begins. This tends to speed the end results up slightly and may be suited to tight deadlines. Be aware though, that trying to speed up the process may cause the tester to miss potential risks in their haste, meaning your analysis is as thorough as it could be.
Finally, you wouldn't go to an unqualified doctor for your physical, so don't trust an unqualified pen tester with your data. Make sure they are certificated to the appropriate standards - ISO 27001, PCI-DSS and CoCo are all good indicators of a reliable organisation, requiring regular audits.