I do not envisage a business today without some sort of IT component, whether it’s a business of one or one of thousands. The IT component could be a mobile phone, a tablet, a simple computer to keep track of emails from and to suppliers, and so on. If you do not have any of these devices, your business today is probably not competitive with others who do.
Suppose that you have your own IT infrastructure and also you have your own IT team who take care of your computer not working, backing up your servers, updating and patching your desktops and servers, etc. However, your IT team does not know how well they are performing, they do not know how many security holes your IT system has, putting your business at risk. Here is when you may need some help and assistance from a cyber security independent advisor.
If you have already conducted, internally or externally, any security assessment, that’s great! You already have a baseline to work from. If you have completed your security implementation and ticked all the boxes then your next logical step is to engage a penetration test, or pent-test, team to test your environment.
Because you believe you are ok and all your systems are safe. Aren’t they? Perhaps not…
What is the difference between a Vulnerability Scan and Penetration Testing?
Before discussing which penetration testing solution you need, lets focus for a second on “vulnerabilities”. There are many people out there who get confused when using penetration and vulnerability assessment terms. And as a matter of fact, they have two different meanings.
The outcome of a vulnerability scan is a list of vulnerabilities your servers, desktop and devices have at that point in time, and that is it. However, penetration testing is the exercise of using any of those vulnerabilities to exploit them and access your systems.
Does that make sense?
If not, let me use the following exercise.
Suppose that you want to find the vulnerabilities at your home, you call a specialist to run a vulnerability assessment and as a result, you found out that the lock on the front door of your house does not work. The consultant will report that information to you and that will be the end of their work.
Now, you call a penetration test specialist who also found that same vulnerability, but this specialist took the exercise further. They went to your house, entered to every room and accessed every bit of your house. This means, they used the vulnerability (the broken door lock) found in the first exercise to get access to your house (your IT environment / company / private data) in a controlled environment that is safe for your business.
Different levels of penetration testing for different businesses
Now that we have cleared that concept, let’s move to the penetration testing scenarios. It is not the same to assess a house has one front door and only one window than to assess a building with 17 floors, one entry door and multiples internal doors, windows, lifts, etc.
As you can see, the work it takes to find the vulnerabilities in a house is different from a big building, as are the attempts to exploit one or several entry points to get access to the building.
The concept is the same when you engage a penetration testing team. If you have only one server exposed to the world with limited access to the Internet, maybe you want to go with the first level or a “light penetration testing.” Think of this as testing the waters. You do not want to spend big bucks if you can find what is wrong with your infrastructure with an entry-level of this service.
Now, if you have multiples servers exposed to the world, then you may want to go with level 2 or mid-range level. This level will test all of your servers, up to 32 IP addresses exposed to the word, and in addition to that you will have a vulnerability assessment from internal components of your network at one specified location.
Finally, if you want to go full steam ahead you may choose level 3. This level will scan all of your external servers and will also take it a step further and try to escalate privileges (getting Administrator access to your network), crack passwords, exfiltrate data, etc. This is the most comprehensive penetration testing exercise which will provide with a full report of your current vulnerabilities and how to exploit them.
How frequently should I be pen-testing?
You may think that once you run any level of penetration testing your work will be done.
This is far from the truth.
Security landscape and new threats are evolving every minute, not every year or month, every minute.
Security companies are constantly keeping up with what is new out there. Therefore, running a security assessment, meaning vulnerabilities, pen-test, etc, will give you a “snapshot” at some point in time on how secure your company was. That’s it, nothing more.
However, you can use that snapshot as baseline to compare how your team, or yourself, are learning and evolving. In order to compare growth, you will have to run the same exercise again in the future.
But how long should you wait?
Well, this will depend on:
- Number of changes in your infrastructure, i.e. are you adding servers?
- Number of changes in your software, i.e. new line of business application deployed.
- Market area your business is operating, a bank is not the same as a bricklaying company.
- Risk appetite. How much risk is your business willing to take?
As a general rule, conducting this exercise every year is a good starting point and you may want to increase or reduce the occurrence of these tests depending on the results.
Do you want to get a better understanding of what a pen-test is and how can help your business increase their maturity posture? Visit our Penetration Testing Page.
Best of luck out there!