What is Penetration Testing and How do we do it at Computer One?

What is Penetration Testing?

Penetration testing is the practice of testing a computer system, network or web application to find security vulnerabilities that an attacker could exploit.

Penetration testing – or pen testing – can be performed with automated software or conducted manually.

Although the main objective of penetration testing is to identify security weaknesses, it can be used to test your organisation’s security policy, your compliance with mandated protocols, employees’ general security awareness, and the IT department’s ability to identify and respond to security incidents.

At the end of the test, a comprehensive report detailing the methods of attack and the findings is presented to management in both written form and a workshop.

If detected, serious vulnerabilities are added to the organisation’s Risk Register and a Remediation Plan is proposed that addresses the risks in order of priority.

It’s important to note that under our definition, Penetration Testing does not include Red and Blue Team testing, which refers to an authorised but adversarial approach between an offensive Red Team and a defensive Blue Team of IT security experts – where the respective objectives are to rigorously exploit and defend just about any vulnerability in your system. Also known as Red Teaming, this approach bypasses traditional pen testing boundaries and indefinitely escalates breaches or infections such that these might end up compromising employees and other systems with human-focused exploit techniques.

Given its nature, Red Teaming could easily stray into questionable ethical and legal grey zones not only when it comes to personal data privacy laws and highly classified corporate data/IP; but also when it comes to its favoured tactics such as social engineering – which involves actively manipulating people into taking certain detrimental actions.

In conducting a penetration test, we stay at arm’s length from your employees and instead concentrate only on system weaknesses. To form a comprehensive assessment of your security posture, however, we do include phishing attempts as part of the methodology in a manual test.

How does Computer One conduct penetration testing?

Broadly speaking, we deliver two types of pen test: 1) Automated – where we scan a network for known vulnerabilities and analyse how they might be chained together to execute a successful exploit; and, 2) Manual – where we take the automated scan and attempt to attack the network from inside or outside the organisation. (‘Outside the network’ simulates a motivated external party such as malicious hackers, while ‘inside the network’ simulates a disgruntled employee).

Each penetration test begins with a clearly defined scope that specifies the networks, systems and locations we will test, and the methods that we will use. Limiting the scope of the test helps focus attackers and defenders on the specific systems the organisation controls. At the end of the test, Computer One provides a comprehensive report that details each identified vulnerability and the most effective set of countermeasures your company can adopt moving forward.

Computer One’s penetration test strategies

Here is a list of the penetration test strategies used by Computer One:

• Targeted testing is performed by your IT team and our penetration testing team working in partnership. It’s also referred-to as the “lights turned on” approach because everyone has visibility into the test being carried out.
• External testing targets your externally visible servers or devices including domain name servers, email servers, web servers or firewalls. The objective is to find out if an outside attacker can get in and how far they can get in once they’ve gained access. We perform this kind of test either with system knowledge supplied by your IT team; or blind where our team is given only the name of your company and no prior knowledge. Because this type of test can require a considerable amount of time for reconnaissance, it can be expensive.
• Internal testing mimics an inside attack behind the firewall by an authorized user with standard access privileges. This kind of test is useful for estimating how much damage a disgruntled employee could cause.
• Double-blind testing takes the blind test and extends it inside the organisation. In this type of pen test, only one or two people within your organisation might be aware a test is being conducted. Double-blind tests can be useful for testing a company’s security monitoring and response procedures but must be carefully controlled so that the test doesn’t get out of hand!

By using each of these different strategies, our pen testers focus on separate elements of the security apparatus. Experienced IT security providers like Computer One can simulate the techniques and tools used by malicious entities while ensuring that 1) no legal boundaries are breached; and 2) no damage is caused. Depending on the strategy executed, Computer One security experts can detect:

• Flaws or vulnerabilities in the hardware and software comprising your network
• Your staff’s susceptibility to phishing and other attacks that exploit human weaknesses
• Inappropriate or inadequate system configurations
• Operational weaknesses when it comes to the processes your business implements
• Inadequate IT security solutions and data protection measures

Real-world examples and types of penetration tests

We have conducted countless pen tests for different clients across industries, helping organisations strengthen their security posture by revealing chinks in their armour – which cyber criminals would be more than willing to exploit. Some of the vulnerabilities we have exposed for clients can be as simple as the extensive use of single-factor authentication, a very old security practice that has long been superseded by stronger measures (such as multifactor authentication and single sign-on).  

Such findings underline the importance of having an external entity to test your company’s security infrastructure regularly – simply because like humans, organisations can’t see their own weaknesses very well.

Penetration tests can be conducted separately on different components of your information system including:

1. Networks – Testers will attempt to breach your IT network either as external threat actors or malicious insiders. 
2. Web Applications – Pen testers will focus on finding vulnerabilities in the coding, design, and other elements of online applications your company creates or uses.
3. Wireless Connections – Security experts will probe your WiFi service for vulnerabilities and probe your wireless environment (including connected IoT devices) for weak encryption algorithms, rogue access points, and other weaknesses.
4. Human Element (Staff) – Pen testers will use social engineering techniques such as different forms of phishing to assess the susceptibility of your staff to malicious activities that exploit human vectors such as email scams.
5. Physical Structures – Tests can be conducted to assess the effectiveness of physical security measures such as gates and doorways, locks, security guards/officers, ID readers, biometric scanners, cameras, and physical security protocols.

Who needs penetration testing?

Cybercrime can affect any entity that uses an online device. In fact, countless individuals have been victimized by email scams while businesses both big and small have been held hostage by ransomware and other forms of cyber attacks.

The threat environment won’t mellow any time soon. On the contrary, virtually all studies on the subject expect the opposite: cybercrime will continue to surge in the foreseeable future.

Cyber criminals are just waiting for the perfect moment to breach your network and get hold of the things you value. The steep cost of a single data breach more than justifies any amount you allocate for pen tests.

Any organisation that seeks to protect its people, operations, data, and brand from such attacks needs regular penetration testing. Regular pen testing is already mandated in some industries and is considered best practice and an essential investment for the rest.

If your business has yet to have one, then you’re operating with a serious handicap. Even the best inhouse IT team needs external help in finding and remediating security flaws in their IT systems. Pen tests provide an objective assessment of your security posture and tells you how to better secure all your assets.

How much does penetration testing cost?

Each project is tailored to the organisation being tested. As a general guide, however, an Automated test with comprehensive analysis of the results and a detailed list of security recommendations will cost between $5,000 and $15,000.

A Manual test where a Computer One team tries to use the information gathered about your organisation to infiltrate your network will cost between $10,000 and $20,000. This is the most comprehensive test you can undergo apart from the real thing as our team will think and act like attackers on your network – without doing any damage, of course.

How often should you perform penetration testing?

Ideally, your organisation should perform penetration testing at least once a year. Why? Because your network’s attack surface inevitably changes over time. New attack methods and variants of malware are added to the attackers’ arsenal; new systems with potential vulnerabilities might have been integrated into your network that are not sufficiently covered by your existing security infrastructure; and new, uneducated staff are exposed to the next wave of potential attacks.

Allowing your network to remain untested for more than 12 months means relying on IT security solutions and protective measures that might already be deprecated (i.e., tolerated but not recommended by current standards because a better solution has emerged or because more powerful threat variants have been spawned by cybercriminals). Worse, some of those protective measures that your network relies on for protection might have already gone obsolete (i.e., totally useless but still incurring business costs) by the time they are next tested. The worst scenario unfolds when the entity testing your systems has bad intentions instead of helping your organisation beef up its defences.

Simply put, regular pen testing is best practice for most businesses and legally mandated in some industries. Moreover, you can (and should) request one when your company –

• adds new network infrastructure or applications;
• makes significant upgrades or modifications to its applications or infrastructure;
• establishes offices in new locations; or,
• modifies end-user policies.

Why is Penetration Testing important?

If you’ve never had a penetration test before, then you are flying somewhat blind, unaware of the potential holes in your network that could let an attacker steal secrets or compromise assets. Even just the reputational damage caused by having to issue a mandated breach notice to your staff or clients can far outweigh the cost of the test process and potential remediation activity. And when you do consider the compounded average cost of a data breach, you’ll come to realize why an increasing number of businesses consider regular penetration testing a smart investment.

If you have had a pen test in the past, then subsequent tests serve as a kind of insurance policy, ensuring that no new gaps have been detected while existing gaps have been closed off. Each new pen test extends the sense of confidence that you can have in the security of all the data your company uses/keeps.

What security holes might a penetration test uncover in your network?

Call us on 1300 667 871 or fill in the form on this page to talk about penetration testing for your organisation.