What is a Penetration Test?
Do you know if the security controls you have invested into are working? Have you got assurance that your systems, firewalls or even cameras, locks and doors are secure?
With serious fines and possible custodial sentences affecting businesses and board members, the pen test provides a layer of assurance and due care of security measures and controls within your organisation.
A penetration test is a live test that provides actual evidence of how controls work. The occurrence of controls that do not quite deliver what you expect is a common finding, leaving table-top and other scenario exercises to be somewhat inefficient.
The importance of knowing this is the knowledge about your return on investment and ensuring that controls are sufficient, and most importantly, according to your risk and threat needs – not just a spending exercise for the sake of security controls.
The penetration test simulates the actions of an external and/or internal physical or cyber attacker that aims to breach the information security of the organization. Using tools and techniques, the penetration tester (ethical hacker) or physical pen tester attempts to exploit physical controls or critical systems and gain access to sensitive data.
How does it work?
The Penetration test conducted will typically follow these steps:
- Determination of scope for the test
- Targeted information gathering or reconnaissance
- Exploit vulnerabilities or weakness for access and escalation
- Sensitive data collection or back door access.
- Clean up and final reporting
This test is conducted at the physical site, or from and network/ internet perspective generally without the local members of staff/ IT or security being aware. The objective is to evidence if the systems can be breached through social engineering, physical and logical IT means.
The outcome of the pen test is to provide a report based on the findings and to highlight where any specific breach was successful and to provide evidence accordingly.
This report will detail to the organization the methods used to gain access and recommendations on securing the facility or information system.
What are the types of tests?
The test can be conducted under 2 categories:
Black Hat test (lights off, no knowledge)
This test is the most resource intensive as the client typically provides absolutely no information and therefore the research and intelligence phase is a longer occurrence. This test however provides the closest simulation to an attack from an outsider.
Grey Hat test (Partial knowledge)
This test is typically conducted in a way where the client organization provides our security services with some of the information that would allow for immediate testing of systems, but without client internal department being tested having any prior knowledge of the actual test being conducted.
This is test is the most commonly implemented as the results are quicker, the costs are less and the internal department/ site are still tested with no knowledge.
White Hat test (lights on, full knowledge)
This test is conducted with the client organisation and the tested sites/ departments having full site and knowledge of the test being conducted. This test is generally used when a department sanctions a specific test on a specific system purely to evidence security weakness with that specific need. This test is commonly also used to assess insider threat.
Blue Hat test (3rd party test)
The Blue Hat test is used when we work directly with the client security department(s) in order to test the security together of a third party security services provider. This is typically a test of capability, forensics, detection and response of services, process, people or technology.
Penetration test threat-level approach.
Not every organisation is concerned with ‘mission impossible’ style security. The pen test conducted is executed based on the agreed level of threat. This ensures that unrealistic or unnecessary security controls are not invested into. This will directly lead to an efficient, risk based security control implementation leading to a far greater return on investment.
BIT security focussed on 3 bands of security pen testing:
- Opportunistic Low level criminals – Looking for open doors/window and basic level cyber-attacks, such as port scanning and phishing emails. *requires no pre-planning
- Mild corporate espionage or determined criminal – utilising covert methods of entry, such as lock picking to gain entry, basic level of target site surveillance and mid-level targeted cyber-attacks like spear phishing and SQL injection.
- Advanced Persistent Threat (APT) High Level criminal/state & private sponsored corporate espionage - A mixed team of high level experienced cyber & physical security personnel using advanced tactics to gain access to selected critical assets. The background of our personnel come from UK Special Forces and intelligence services.
What Happens after the test?
Once the test is complete, a full report is then complied detailing all the events of the test. Remediation recommendations are also given as part of the report.
A report summary is also delivered to the board in a presentation.
How much does it cost?
A Penetration test is a highly bespoke service and there are many variables that affect the overall cost of a penetration test. The cost of the selected type of penetration test is determined in the initial consultation and then put into a proposal for client consideration.
To learn more about our Penetration services and how it can help your organisations security, call us today.
MX Guarddog is stopping spam from reaching BluescreenIT Ltd