“Penetration Testing” and “Red Teaming” are often used interchangeably, which is inaccurate.
Penetration Testing involves viewing a network, device, application, or physical security from the perspective of a bad actor. The goal is to discover cybersecurity vulnerabilities.
What is Penetration Testing?
Penetration Testing or “pen test” is an emulation of what a bad actor could do when targeting an organization. Its goal is to find vulnerabilities affecting assets and find out how to leverage those to breach perimeters, obtain sensitive data, take over hosts, or cause damage.
A good penetration tester can determine:
- Areas a hacker may target
- How they would attack a target
- How the target’s security would hold up
- The scope of a possible breach
The depth of testing can vary, from resilience against low skill “script kiddies” to professional nation-state level attackers. The scope can be adjusted to meet the organization’s needs.
Types of Penetration Test Assessments
External Pen Test
Targets external assets from the Public Internet – a real world attack assessment.
Internal Pen Test
Targets internal assets from inside the organization. This emulates what would happen if a malicious agent (malware, disgruntled employee, etc.) got inside the network. It explores scenarios such as successful phishing attacks and malicious physical media like a found USB drive that could introduce malware.
Web Application Pen Test
In-depth testing of web application(s), examination of functionality with search for vulnerabilities such as the typical ones (XSS, SQLi, CSRF) to the more complex code/logic abuse which are frequently missed by groups.
Web application tests can be performed both authenticated or unauthenticated. Generally, we recommend both.
Applications are also evaluated against frameworks such as the OWASP Top 10 which inventories common attacks on known libraries or CMS platforms, e.g. WordPress, Joomla, Drupal, et al.
Mobile Pen Test
This is the same scope as the Web Application Pen Test, but for native mobile applications that may rely on extensive API-accessible web services.
SCADA Pen Test
SCADA is a purpose-built control system for factories, power plants, utilities (such as municipal water systems), or facilities that require some level of orchestrated automation in processes and data acquisition. The systems can be complex and networked, but also may not benefit from frequent updating or security-oriented maintenance.
IoT and Hardware Pen Test
This is a test of the entire IoT ecosystem in place including web applications, mobile applications, hardware, firmware, wireless communications (Wi-Fi, Bluetooth, Zigbee) and their interactions. Exploits can often be a clever usage of two or more of these elements.
Penetration Testing Assessment Benefits
Why should you run Pen Test assessments?
Penetration Testing is an integral part of any security program. It’s still prudent to consider the benefits it may provide, and there are many. Here are a few:
- Allows prioritizing vulnerabilities
- Allows mitigating vulnerabilities
- Reveals strengths of the network
- Identifies controls that should be implemented
- Allows enforcement of security plan
- Identifies internal processes that are weak
- Improves overall security position
- Helps ensure teams are well-trained on detecting and responding to threats.
The key take away is evaluating readiness in preventing and responding to cyber threats.
Which Organizations are Required to Perform Penetration Testing Assessments?
Many industries require organizations to conduct penetration testing to maintain compliance. For example:
- health organizations
- financial institutions
- businesses accepting or processing debit/credit card payments
- infrastructure sector businesses under NERC guidelines.
After a penetration test, an organization will often move on to a Threat Hunt assessment as a Phase 2 activity. While Pen Testing is often for compliance, a threat hunt assessment provides assurance and peace of mind.
The practice of proactively looking for threats which may be hiding undetected on a network is known as a Threat Hunt assessment.
What are Threat Hunt Assessment Methodologies?
Conducting Threat Hunt assessments begins with the premise that adversaries are already present in assets under review. Each assessment seeks out the unusual activity that may indicate presence of malicious actor(s). There are a few categories these investigations fall into:
- Indicators of Attack or Compromise (IoC)
- Advanced Analytics
Each of these combines threat intelligence with advanced tooling that proactively work to protect systems and data.
Threat Hunt Assessment Benefits?
New threats continue to challenge business security teams. Each new occurrence comes with an increase of severity and cost. Offensive, proactive approaches are the newest strategy and are proving to be more effective.
Let’s look at some of the possible benefits of threat hunting:
- Uncover security events proactively
- Enhance threat response time
- Reduce threat investigation time
- Improve threat mitigation
- Reduce false positives and the efficiency of the SOC
- Reduce damage and risk to the organization
Who is NCI?
If you are looking for a proven IT service provider, Network Connections has all the solutions you're looking for. We offer your business managed IT services, mobile or remote workplace, Microsoft cloud services, managed cybersecurity, and hosted VoIP solutions.
NCI partners with novaSOC to provide Managed Cybersecurity and Penetration Testing Services. Contact us today, and find out how we can help your business.