DRbacks1.png

Our Insights

DRSection.png

Penetration Testing to Safeguard Against Cyber Security Breaches



What is Penetration Testing?


Penetration testing is carried out to show how well an organisation will withstand a cyber attack, obtain information about an organisation’s vulnerabilities and reveal how internal and external threats could lead to a breach.


A penetration tester is a highly trained specialist who has expert knowledge of the latest attack techniques and can go beyond the identification stage of automated vulnerability assessments. This level of expertise and manual testing provides a thorough and deep examination of security risks.


Professional penetration testers are sometimes called ethical hackers. This is because they carry out authorised attacks during the exploitation phase of testing, simulating a variety of different cyber security attacks on your IT assets. The penetration tester will attempt what a hacker would to gain access to networks, applications, systems, personal data, sensitive information and security processes.


An organisation’s cyber security vulnerabilities might include:

  • Code and design flaws in software and hardware;

  • Unsecured networks and infrastructure;

  • Misconfigured or complex IT systems; and

  • Human error.


Penetration testing should be customised according to the industry to which an organisation belongs and tailored to the specific organisation’s needs and goals. At Digital Resilience we work closely with our clients individually to empower and enable you to secure what matters to your business.




Why Undertake Penetration Testing?


Working with a penetration tester will expose vulnerabilities in the targeted systems being tested. You will be empowered to mitigate the discovered risks by addressing security flaws through the development of appropriate controls and developing and applying suggested remediation strategies. before you fall victim to an unauthorised cyber security attack.


At Digital Resilience our purpose is to secure what matters and help organisations retain the trust relationship with customers by demonstrating sound management of security practices. While penetration testing’s primary objective is to help identify weakness in your software and systems, there are further benefits that it offers:.

Reduces the impact and cost of a successful attack on your business

A security exposure has the potential to significantly impact an organisation. A breach can be extremely costly to both finances and time. The IBM-Poneman Institute Cost of a Data Breach Report (2021) revealed that in 2021 “an average of 23,800 records were stolen per Australian breach costing $169 per record on average.” This recent study also showed that these costs are rising with “the average Australian data breach cost $3.7m (US$2.82m)… up 31 per cent from $2.8m (US$2.15m) the previous year.” A Microsoft and Frost & Sullivan Study (2018) also revealed that “cybersecurity attacks have resulted in job losses across different functions in almost seven in ten (67%) organisations that have experienced an incident over the last 12 months.”

Inform strategy and budgeting

Penetration testing shows your business what is most at risk and where you should invest in new tools and implement new protocol. This will also help you set annual security budgets.


Safeguard Internal Processes

Penetration testing can also demonstrate the effectiveness or identify gaps within internal processes designed to identify or detect perpetrators attempting to break into your network and systems.


Learning and Development

Penetration testing can develop an organisation’s ability to handle a cyber security event. It will help reveal holes in your security practices so that your team can learn how to better prevent, detect, efficiently respond and recover from threats, attacks and breaches.


Reassurance of the Resilience of Solutions

Penetration testing can assess the security posture of applications and infrastructure and provide a level of assurance that the solution is resilient against opportunistic attacks and security misconfigurations while also demonstrating due diligence.


Check that your cyber controls are still effective

Over time security controls will deteriorate as new publicly disclosed vulnerabilities are discovered, and new flaws are introduced by development and administration teams. Retesting will help reveal these issues and assist software developers to increase their knowledge and skills to design more secure applications in the future.


Compliance with industry standards

Working with a highly trained penetration tester will ensure you are compliant with legislation requirements and regulatory obligations in addition to demonstrating your duty of care to your customers.




Types of Penetration Testing


Web Application Penetration Testing is a focused test that targets a specific web application to discover any vulnerabilities or security weaknesses within the application itself and any backend components such as APIs and underlying infrastructure.


Mobile Application Penetration Testing employs a combination of automated and manual techniques to assess the overall security posture of iOS and Android mobile applications to discover vulnerabilities and poor coding practices that may expose sensitive information.


External Network Penetration Testing will uncover vulnerabilities and security weaknesses within the organisation’s publicly accessible information and infrastructure, which is referred to as the organisation’s attack surface. A tester will attempt to gain an initial foothold within the organisation’s environment by exploiting any security weaknesses identified and employing techniques commonly used by malicious actors, such as password spraying, credential stuffing, phishing and social engineering attacks. A qualified tester will expose your vulnerabilities by attempting to gain access to your data, breach firewalls, crack passwords or try to use your breached data and assets.


Internal Network Penetration Testing will focus on an organisation’s internal infrastructure. A penetration tester initiates the testing from within the organisation to test internal systems. In addition to revealing the ways in which an insider threat may leave you exposed, it will also reveal weaknesses that allow an attacker to move laterally on your network once a foothold is established within the environment.


Attack Surface Assessment

In today’s ever evolving environments, initiatives such as cloud migrations, business transformation, acquisitions and more, mean new digital assets are constantly added to your attack surface, which is all your publicly accessible information and infrastructure. It is more critical than ever that organisations are aware of their entire attack surface and understand what assets make up their digital footprint so they can better defend against cyber attacks.


An Attack Surface Assessment leverages advanced reconnaissance and Open-Source Intelligence Techniques (OSINT) to provide a complete snapshot of an organisation’s external attack surface. A recent HackerOne study revealed 1 in 5 organisations estimate that half of their attack surface is unknown or unobservable—creating a substantial security gap and 1 in 3 organisations in the United States leave 25% of their attack surface unprotected.


Wireless Testing is the art of testing wireless systems for configuration issues and vulnerabilities. The assessment will identify implementation weaknesses such as weak encryption, network segmentation and defensive capabilities of the wireless systems.


Kiosk Testing

In this digital era, public kiosk stations are increasingly being adopted by businesses to provide information and self-service options to enhance customer experiences. Kiosk Testing will assess the overall security posture of publicly accessible kiosk systems and will test locked down kiosk systems to see if break out is possible or access can be gained to other systems or data. A tester will ensure security best practices have been implemented and identify any security weaknesses and misconfigurations within the environment such as vectors to breakout and take control of the environment.




Stages of Penetration Testing


There are six stages to a thorough penetration test:


Scoping and Planning

This is the planning stage where the scope and goals of the test are defined. It will look at what systems will be addressed and the testing methods to be used. Additionally, this is where the tester will look at previous test results and gain authorisation before commencing the testing.


Reconnaissance

The primary goal in this phase is to discover as much information as possible about the target application(s) and underlying infrastructure. This information provides the foundation for a tailored security assessment. Reconnaissance is carried out using a combination of automated tooling, Open-Source Intelligence Techniques (OSINT) and manual code review.


Automated Testing

Automated testing is conducted to lay the groundwork for the manual assessment with each finding manually checked to verify accuracy and remove false positives.


Exploitation and Verification

This stage is undertaken with care by an expert penetration tester using the results of the reconnaissance and automated testing phases, paired with their experience and expert knowledge to conduct a thorough manual security assessment. To determine the full extent of the organisation’s vulnerability and risk, the tester will attempt to breach and compromise the systems, applications and infrastructure defined within scope. Unless explicitly requested to do so, this testing will generally exclude denial-of-service (DoS) attacks and social engineering of end users.


Reporting

Digital Resilience provides comprehensive test results compiled and presented in a detailed risk-based report outlining:

  • Assessment Details of the applications and systems tested;

  • Process and Methodology;

  • Scoping and Rules of Engagement;

  • Executive Summary includes key strengths, key findings and strategic recommendations to address and manage identified risks;

  • Findings Overview that breaks down the number of findings and severity;

  • Detailed Findings, including the technical specifics for each of the reported issues along with business impact and detailed recommendations for remediation; and

  • Appendix, including additional information and a glossary of security terms.

Reporting will clearly outline which applications and systems were tested, the vulnerabilities detected and expert recommendations to address and manage identified risks.


Retesting

Once remediation steps have been undertaken, it is recommended to conduct a retest of the discovered vulnerabilities. Typically, this is a small exercise in comparison to the full test and can easily be requested. Results of the retesting activity are reflected in the original report.



Who Would Benefit?


In this era, all companies, both large and small to medium enterprise, would greatly benefit from penetration testing. This is particularly true if the following applies:


Small to Medium Enterprise

Organisations with company websites would benefit as it helps secure your website from being compromised or defaced. Compromise of your corporate website may result in reputation damage to company brand and image.


Large Organisations

Large organisations greatly benefit as they are more likely to have:

  • Custom applications;

  • Mobile applications;

  • Vast attack surface;

  • Large internal presence and infrastructure;

  • Regulated industry requirements;

  • Many staff; and

  • Are more likely targeted.


Organisations that employ staff

Any organisation that employs staff would benefit from social engineering, as a component of penetration testing. Such testing will assess the resilience of people and the likelihood of an organisation’s staff falling victim to social engineering attacks such as phishing, which is a commonly used attack vector by malicious actors. This not only serves to gauge resilience, but also helps inform the development of education and awareness strategies.


Working-from-home arrangements

According to new analysis, increased remote work during the COVID-19 pandemic “made companies more vulnerable to cyber attacks, with data breaches involving remote workers costing $1m more on average than those that didn’t.”


Cloud and Mobile Infrastructure

Eric Lam (2018), Director of Enterprise Cybersecurity Group, Microsoft Asia, stated that companies who operate in the cloud and embrace mobile computing to connect with customers and optimise operations take on new risks. The IBM-Poneman (2021) report has subsequently revealed that organisations further along in their cloud modernisation strategy contained breaches on average 77 days faster than those in the early stage of their modernisation journey.


Legislated Industries

Organisations such as IT companies and Financial Service Providers, engage in penetration testing frequently due to legislated mandates and industry requirements by regulatory bodies such as APRA.


Healthcare Industry

The IBM-Poneman (2021) report showed that Healthcare organisations worldwide have had the highest industry cost of a breach for eleven consecutive years, with an average cost of $9.23 million in 2021.




When Should Penetration Testing be Conducted?


Penetration testing should be conducted regularly to detect recent and previously unknown vulnerabilities and ensure continued security. The frequency of penetration testing for your organisation may be influenced by the size of your online presence, security budget and your regulation and compliance requirements.


It is advised that testing be conducted at least once per year or following significant changes, such as:

· Major software updates

· Deployment of new infrastructure and applications

· Recent relocation

· Significant changes to IT infrastructure and applications


The IBM-Poneman report (2021) revealed Australian companies took 311 days on average to detect and contain data breaches, up more than a week over the previous year and continuing a five-year trend towards ever-slower detection…but those who had created an incident response team, and were regularly testing their cyber incident response plans, claimed savings of nearly $1 million per incident.


Not surprisingly, penetration testing has been shown to be one of the elements to help reduce data breach losses, which is further evidence of the increasing need and clear benefits of engaging the services of an experienced and qualified penetration testing specialist.



Is Penetration Testing Right for Me?


At Digital Resilience we have a range of assessment styles that fit different budgets, from detailed penetration tests of complex application to vulnerability assessments of small websites and applications. Contact us today to see how our experienced and highly qualified penetration testers can work with you to secure what matters to your business.





Sources:


IBM-Poneman. 2021. Cost of a Data Breach Report 2021. [PDF] Armonk: IBM Corporation. Available at: <https://www.ibm.com/downloads/cas/OJDVQGRY>


Braue, D. (2021). Working from home blew out cost of data breaches. [online] Information Age. Available at: https://ia.acs.org.au/article/2021/working-from-home-blew-out-cost-of-data-breaches.html.


Microsoft Asia News Center. (2018). Cybersecurity threats to cost organizations in Asia Pacific US$1.75 trillion in economic losses – Asia News Center. [online] Available at: https://news.microsoft.com/apac/2018/05/18/cybersecurity-threats-to-cost-organizations-in-asia-pacific-us1-75-trillion-in-economic-losses/

41 views