Cybersecurity threats and daily cyber attacks in the news are pushing top officials to continuously ensure that their networks and systems are secured against criminals. Every week, reports of new breaches go viral, putting consumers at risk as their personal information is stolen. Securing organizations using policies and technical controls are critical; however, unless these controls and policies are tested, an organization cannot determine the effectiveness of their security program. Penetration testing is an essential component for proving the potency of an organization's information security program.
What is a penetration test (pen test)?
Penetration testing, or pen testing, is a series of tests carried out by specialized testers trying to penetrate a company’s systems to find vulnerabilities that could be exploited internally or externally by criminals and other bad actors. Penetration testing is mandated by regulators in some industries like financial services, health care, and government systems access, while it is optional for many other industries. In a world of continuously evolving threats, penetration testing is an essential information security practice and should be included in an organization's governance framework. Penetration testing can be performed by internal testing teams or using third-party consulting companies.
External Pen Testing
External penetration testing is a practice that assesses the externally facing assets for an organization. During an external penetration test, the assessor attempts to gain entry into the internal network by leveraging vulnerabilities discovered on the external assets. Alternatively, the tester may attempt to gain access to privileged data through external facing assets such as email, websites and file shares. During the test, the attacker performs reconnaissance on the in-scope assets, gathering intelligence on all assets in scope. This intelligence includes open ports, vulnerabilities, and general information about the organization’s users for password attacks. Once the perimeter is successfully breached, the objectives of the external penetration test have been achieved, and the tester moves to the internal penetration test.
Internal Pen Testing
Internal penetration testing continues the assessment by helping to identify how far an attacker can laterally move through a network once an external breach has occurred. During an internal penetration test, the tester will either leverage the exploited box from an external penetration test, or use a testing box or laptop on the inside of the network to conduct the assessment. Using a testing box or laptop is the preferred method, as this is often a more stable testing path than running tools through the exploited external asset. Internal reconnaissance and attacks are launched from this initial beachhead. While a poorly secured domain control may lead to total control of the network, most tests require multiple attack paths to achieve their testing objectives. This method often includes exploiting less-important systems, and then leveraging information found on these systems to attack more important systems in the network. Once domain admin access is achieved, or the attacker can gain control over the organization’s most valuable information, the test is generally concluded.
Company policy validation
Penetration testing uncovers the weaknesses of a company’s internal policy enforcement and ability to maintain secure systems. Company policy awareness, acceptance, and practices can be measured as KPIs to apprise security teams of current performance. Internal and external penetration testing can help discover flaws within the security program and validate adherence. Both tests are critical to maintaining a well-secured network and should be performed a minimum of once per year.
The importance of both external and internal penetration testing to an enterprise cannot be understated. Whether conducted by an internal team or a third-party company such as RedLegg, taking the time and putting in the effort to perform a test to help identify exploitable flaws within the network will pay long-term dividends to the security posture of the organization. Ignoring this critical aspect of a healthy security program may, at best, lead to not knowing whether an attacker can successfully attack the organization, and at worst, fail to identify a flaw that can lead to a breach. Company policy acceptance and enforcement, as well as regular penetration testing, can help your organization stay on top of its game and keep attackers at bay.