Cyber security reviews and the benefits
INDEX Introduction Demystifying the subject Why do it? Things to get straight first The Cons of a penetration test Testing Testing from all angles Test types 5 Steps A formula for planning and managing a Penetration test Before you start! Debunking Those Myths Conclusion 03 03 04 06 07 08 09 10 11 13 14 14 15 Page 02 of 15
Introduction Penetration testing is a subject which business find baffling, then in turn they choose to neglect this important and crucial security factor, leaving their businesses vulnerable. This paper is designed to demystify Penetration Testing, elaborating on how it is used to identify what level of risk users face by testing and compromising servers to find potential weaknesses. Demystifying the subject Penetration testing allows businesses to isolate and manage cyber risk through a deliberate fusion of penetration testing and vulnerability management services. This process allows you to undertake a measured technical exercise that systematically analyses the security of your IT infrastructure and also your employees. Through undertaking this exercise, you are able to not only avoid and react to cyber-attacks, but also manage cyber risks without capping growth limits. Therefore, this exercise is executed to identify both weaknesses (also referred to as vulnerabilities), including the hypothetical for unauthorised factors to gain access to the system's features and data, as well as strengths, enabling a full risk assessment to be completed. Page 03 of 15
When discussing penetration testing, the terminology, White box / Black box will be mentioned. As when undertaking this exercise the target may be a white box (which provides background and system information) or black box (which provides only basic or no information except the company name). A grey box penetration test is a combination of the two (where limited knowledge of the target is shared with the auditor). Why do it? Expose your weaknesses before real hackers do! Unquestionably, the most valued characteristic of penetration testing is that it puts your cybersecurity through the same pressures as a genuine hacking attempt. Therefore, undertaking a controlled cybersecurity test on your system means that instead of learning through a costly real-life attack, the vulnerabilities can be put right before a hacker tries to get into your systems features and data. It will help you comply with the GDPR regulations It s important to annotate that the General Data Protection Regulation (GDPR) is a regulation that will affect any company that does business within the EU, so it is essential that you comply. One of the major aspects of the GDPR is to protect businesses being hacked and losing personal data, as a result of poor cybersecurity- with then possibility of incurring large penalties and fines. A penetration test will reveal your weaknesses and vulnerabilities, then in turn you will be able to act on these gaps ensuring that you are completely complying to the GDPR, and other data protection or privacy regulations. The building blocks of risk management Any weaknesses acknowledged by the penetration test which you did not previously know about should be given priority, followed by each risk. Having these statistics to hand allows you to prioritise, budget and plan in a systematic within the management of your highlighted risks. Page 04 of 15
Taking control As your business evolves your IT infrastructure can become intricate and keeping it manageable may become a difficult task. Due to the escalation, your ability and expertise to ensure that your controls are sufficient may mean that security features can falter. This is when outside support may be needed, as each test undertaken will reveal any interdependencies that have a direct or indirect impact to security. Who says? You ve trained your staff, followed all the rules, guidance s and procedures now you think the infrastructure of your business is secure. Who says? The only way to actually answer this question is to undertake a penetration test. By undertaking this process, you gain real-life proof that your security controls are working as anticipated and are up to standard. No choice Though compliance does not assure security, regulatory standards provide focus on what is needed to ensure your infrastructure is in a suitable overall state of security. There are an increasing number of legal and regulatory requirements, industry standards, and best practices such as: PCI DSS, ISO 27001, FCA, HMG and CoCo, that all say you should or must have regular penetration tests. Page 05 of 15
Things to get straight first 1. Definitions A Vulnerability Scan uses an automated tool to find known attacks against the software on your network. It delivers an automated report that shows specific devices with known vulnerability or configuration errors. A Vulnerability Assessment is a manual process with interviews of your staff, reviews of documentation, and vulnerability scans. Vulnerability Assessments deliver a report showing your strengths and weaknesses from that process. Vulnerability Assessments, a.k.a Security Assessments, can also be performed against a compliance framework or matrix, such as NIST 800-53 or NIST 800-171. Penetration Testing actively analyses your network security for things you don t know about. Penetration Testers will recon and attack your network like a spiteful hacker would. The results would be, vulnerabilities due to the testers experience or resourcefulness. The reason that Penetration Tests are so unique is that they imitate the actions of an attacker. Another way to think of penetration testing (Pen Test) is vulnerability testing. While a vulnerability scan just detects the issue, a pen test actually determines if you can exploit it. 2. Choose the right test Pen tests vary greatly, however getting the right one for your company is essential. Ideally, you need a decent report in the right format for compliance. The correct tools will offer output in a format that will make report writing simple. Third party penetration tests should be performed by qualified and experienced personnel only. By their nature, penetration tests cannot be entirely procedural, an exhaustive set of test cases cannot be drawn up. Therefore, the quality of a penetration test is closely linked to the abilities of the penetration testers involved. 3. Staying in contact During the test phase, you should ensure that a technical point of contact is available at all times. The point of contact does not need to spend all their time working with the test team but should be available at short notice. This allows the test team to raise any critical issues found during testing and resolve problems which are blocking their testing (such as network misconfiguration). So, this impact needs to be considered throughout the testing time, as it could have an impact on your running services. Page 06 of 15
4. Being prepared During a penetration test or security assessment, the testing team may identify additional systems or components which lie outside of the testing scope but have a potential impact on the security of the system(s) which have been defined as in scope. In this event, the testing team may either suggest a change to the scope, which is likely to alter testing time frames and cost, or they may recommend that the exclusion of such components be recorded as a limitation on testing. The decision on which would be the preferred option will generally be down to the risk owner, with the penetration team responsible for clearly articulating the factors to consider. The Cons of a penetration test 1. It is improbable that a pen-tester will discover all the security issues or will solve all problems when probing or scanning for vulnerabilities and generating an automated report, remember this is not a full security audit. It only tests items in your scope, which are pre-agreed limitations. 2. It will take a pen-tester more time to inspect a system identifying attack vectors, than doing a vulnerability assessment, being the test scope is greater. The testers actions can also be disruptive for the business activities as they mimic a real attack. 3. It is high-labour intensive and can therefore represent an increased cost and some organisations might not be able to allocate a budget to do this. This is especially true when an outside firm is hired to carry out the task. Page 07 of 15
4. It may give a false sense of security. Being able to withstand most penetration testing attacks might give the sense that systems are 100% safe. In most cases, however, penetration testing is known to company security teams who are ready to look for signs and are prepared to defend. Remember real attacks are unexpected and, above all, unforeseen. Testing Testing is conducted using three methodologies; black, white and grey box testing. A black-box tester is unaware of the internal structure of the application to be tested, while a white-box tester has access to the internal structure of the application. A Grey-box tester partially knows the internal structure, which includes access to the documentation of internal data structures as well as the algorithms used. Black Box Testing Black-box testing requires no prior information (apart from the agreed scope information) and is a method of testing considered to simulate that of a real attacker such as and organised crime, internet hacker or nation state level attack. The drawbacks with black box testing is that the agreed time frame may not be sufficient to test everything, and some parts of the target infrastructure may be left untested, as they may not have been discovered. Page 08 of 15
White Box Testing White-box testing is representative of an attacker already gaining access to an application or infrastructure. As part of white-box testing the Security Consultant will be given credentials, of which delivers benefit through the ability to conduct a wider breadth of testing, by simulating the level of risk to the environment from an authenticated perspective. The obvious drawback of this test is that it s not a realistic scenario, as a real-world hacker attacker would not have a complete picture of the nitty-gritty bits of the architecture and would not be as biased as the tester. But when it comes to security, is there ever really such a thing as too much? Grey Box Testing Grey-box testing is a blend of both black and white box testing. This blended framework offers greater focus and a more thorough assessment. Partial code coverage: In Grey-box testing, source code or binaries are missing because of limited access to internal or structure of the applications which results in limited access for code path traversal. Page 09 of 15
Testing from all angles Penetration testing should be executed internally and externally, the target is still the same- just the origin of attack differs. Internal: An Internal Penetration Test is where a consultant would be placed within your corporate environment and connected to your internal network looking for security issues from the inside, which has already bypassed your security perimeters. External: An External Penetration Test is where a consultant looks for security issues from the outside of your network, generally over the public Internet or email servers. Test types 1. Wireless Testing By analysing and inspecting access points, various devices and encryption devices the weaknesses within the wireless architecture. 2. Infrastructure or Network Penetration Testing This testing is the current operational security levels of either an infrastructure or a network however the goal is the same, to identify and exploit any vulnerabilities. 3. Application Penetration Testing It is evaluating a web application for security weaknesses. The purpose of the test is to detect any security issues that can be misused by hackers. The specialist tester will execute a thorough review of the entire site to find errors and recommend fixes. Criminals target applications that provide access to valuable data such as credit card or personal details- for example, banking or retail websites. Page 10 of 15
4. Configuration / Build Review Testing This type of test will thoroughly analyse your build and configuration of your security, by scanning for known vulnerabilities, testing against misconfigurations and safeguarding against most compliance standards. ensuring that your standard build does not offer an easy avenue for attack. 5. Social Engineering Social engineering penetration testing is designed to check employees' observance to the security policies and practices outlined by management. Testing should provide a company with data on how easily a hacker could convince employees to break security guidelines or reveal or provide access to sensitive information. The company should also get a better understanding of how successful their security training is. 5 Steps When undertaking a Penetration test a systematic process should be followed, we follow an A.T.O.M assessment framework which consists of four Pillars, however to support those four pillars a foundation must be created. Our Cyber evaluation moves through five phases: pre-engagement, testing, report, post engagement and re-test. This ensures that client receives a well-crafted and calculated engagement lifecycle. Pre Engagement Re-test (if required) Testing Post Engagement Report 1. Pre-Engagement Relevant information should initially be collected, so a detailed procedure can be produced of requirements- this ensures that there is no overlap in areas that are already being tested and to ensure a full understanding of what is needed. The initial phase will cover the following items. a. Scoping Call b. Testing Proposal/Assessment c. Authorisation Form Page 11 of 15
2. Testing The testing phase is known as the Penetration Test. One testing day equates to eight testing hours. Any Critical or high vulnerabilities identified will be communicated with the client at the earliest opportunity. 3. Report Reports will highlight the vulnerabilities and risks identified during the testing window. The testing specialist are not responsible for the remediation of the vulnerabilities identified or vulnerabilities identified after the testing window, unless overwise discussed within another proposal. 4. Post Engagement The post engagement phase consists of two stages Report Delivery 30-minute post engagement call to discuss the findings identified 5. Re-Test (If Required) The intent of retesting is to confirm that the original vulnerabilities identified have been remediated. Re-tests are usually chargeable at the testers consultancy day rate. Should the client request an additional re-test report, a further charge for a new report may be incurred. Page 12 of 15
A formula for planning and managing a Penetration test Below is a fool proof guide to what should be included within your Penetration Test. 1. Business requirements should be determined and objects set. 2. Type of Penetration Test should be determined, including any limitations/restrictions. 3. Form the scope of the test, identifying the critical components. 4. Assess the risks of testing the system whilst the system is live if the risks are too great then discuss with the specialist tester the alternatives. 5. A timeframe should be determined during working hours, out of hours. 6. A budget according to scale and depth of testing should be set. 7. Permanent liaison with the tester should be had, to discuss findings and updates. 8. A report should be generated that is in a simplistic form- that is easy for you to follow and outlines the findings in a simplistic manner. 9. Create a Mitigation plan with all staff involved. 10. If necessary, re-test. Page 13 of 15
Before you start! Images needed for all Make sure all these factors are in place: NDA Make those relevant aware of testing Back-up any critical data Provide testers with all access requirements needed Debunking Those Myths @ Penetration Testing Is Only for Large Companies Some laws and industry standards require penetration testing. Health care providers, for example, conduct tests to ensure that they adequately protect medical data. Meanwhile, banks must test their systems to maintain compliance with certain compliance Acts, and any business that accepts or processes credit cards must conform to the Payment Card Industry Data Security Standard (PCI DSS). @ Penetration Testing Is Always Proactive Penetration testing can be proactive or reactive. Ideally, tests are performed to help prevent a breach. However, penetration testing during post-breach analysis can support security teams understand what happened and how information that can also help an organization prevent similar breaches in the future. @ Penetration Testing Is the Same as Vulnerability Assessment Vulnerability assessments include identifying and classifying known vulnerabilities, producing a list of flaws that require attention and recommending ways to fix them. Whereas, Pen tests, simulate an attacker s actions. Results should include a report of how the tester undermined security to reach a previously agreed-upon goal, such as breaching the payroll system. Page 14 of 15
Conclusion Penetration testing providers the company undertaking, the opportunity to authenticate the current security procedures. This is achieved by following the protocol included within this booklet, selecting the correct scope and the right type of test. This allows you to have a test performed then easily identify and repair any security susceptibilities. However, using the suitable company to undertake the test is the main task within this whole process. This chosen company should have a proven track record and be able to guide and support you through every phase of this process until all faults and probabilities of breaches are managed. It needs to be remembered that a pen test should never be classed as a stand-alone procedure, but in turn part of the bigger picture of your company s risk management procedure. Quote from Paul Anderson Lead Technical Strategist "Organisations often think that cybercrime won t happen to them, they may think that the size of the company is small, so they won t be a target. Others may think they are a large corporate with all the security measures in place. Cyber criminals don t care who you are, they also may have a high skill range when it comes to cybercrime and can penetrate what you thought were adequate measures." "The other area where organisations fail is that they may have had a Cyber security evaluation and report and implemented the changes needed. But when was that report done? Last year? Last 5 years? 10?! Yearly reviews should be done, we feel that this is something a company can do along with the Data protection review, which we feel should be yearly as well." Want to review our 28 page paper on GDPR, Data Protection 2018 and PECR? Contact Us For Details - dpo@6sglobal.co.uk Copyright 2018. 6S Global Limited. All rights reserved. This proposal is for the use of client personnel only. No part of it may be circulated, quoted, or reproduced for distribution outside of the client organisation without prior consent. Author: Kelly Lovelock Page 15 of 15