In the seminal boxing film Rocky, our protagonist undergoes an unconventional training exercise; attempting to catch chickens.
Rocky’s coach, the old sage Mickey, has identified a weakness of his charge – nominally his speed, footwork and ability to manoeuvre around the ring – and a way to remedy it. Or in his own words “If you can catch this thing, you can catch greased lightning!”
You can think of penetration testing a little like this.
There’s a date in your future when you will face an opponent who’s trying to knock you out. Before then, you have a coach and a few sparring partners to prepare you by using lifelike scenarios without the severe consequences. You will receive feedback on your openings.
Just remember, while Mickey is on hand to guide you, test you, and alert you to your flaws, Apollo Creed’s coach (or if you’re still with this analogy... Clubber Lang’s, Ivan Drago’s, Tommy Gun’s or Mason ‘The Line’ Dixon’s) is also seeking how to penetrate your defence – as a hacker might scan your perimeter with a view to get in.
Pen testing is proactive defence training. It’s in your interest to train hard, and often.
The UK’s National Cyber Security Centre (NCSC) defines penetration testing as "A method for gaining assurance in the security of an IT system by attempting to breach some or all of that system's security, using the same tools and techniques as an adversary might."
Testing an organisation’s IT infrastructure could involve evaluating a whole network, or just a sole software application. This might find configuration errors, design flaws, or software bugs, but with Verizon’s 2022 Data Breach Investigations Report stating that “82% of breaches involved the human element” it’s equally important to identify weaknesses in IT security policy, the ability to respond to incidents and employee security awareness.
Are all penetration tests the same?
No, there can be many variations. Just like an audit, a pen test follows a strict methodology with the scope agreed beforehand, considering security priorities, risks and threats.
The level of information given to the testers by the organisation being probed determines whether the pen test is executed in black box, grey box, or white box.
Different kinds of in-depth pen tests concentrate on specific areas of an organisation’s IT infrastructure and include, but are not limited to, the following:
Network penetration testing – the most common type, aiming to discover faults and openings in the network infrastructure by conducting both remote and on-site tests.
Social engineering penetration testing – An attempt to influence staff or contractors to share usernames, passwords or other sensitive information.
Physical penetration testing – an essential test of the physical impediments a hacker would face in accessing systems, infrastructure or employees.
Client-side penetration testing – key in discovering the liabilities of client-side applications such as email clients or software packages like Microsoft Office Suite and Adobe Creative Cloud.
Web application penetration testing – a detailed evaluation to identify failings in web-based applications, browsers and their components, including databases, underlying code and the back end of networks.
Wireless penetration testing - an assessment of the links between all the devices connected to your Wi-Fi, including smartphones, laptops, tablets and IoT gadgets.
For more information on the types of penetration test read this.
How often should I get a penetration test?
The reality of the cyber threat landscape is that it evolves constantly. Gaps appear even in the best security measures and applications; just look at LastPass, described by WIRED as the go-to free, mainstream password manager that now after a high profile breach “It’s time to ditch.”
Of respondents to Ponemon’s 2022 Global Study on Closing the IT Security Gap, only 30% said their organisations were effective in keeping up with the ever-changing risks of cyber security.
Penetration testing will give you an up-to-date review of the strengths and susceptibilities of your current IT security – but time will move on.
The routine integration of penetration testing as a primary tool of the risk management kit is essential for any organisation to maintain a strong security posture, one step ahead of attackers, with the best chance of avoiding a damaging breach.
Determining the frequency of investment in each individual case depends on the size of company, its budget and the regulations required of it. Once a year is commonly recommended – as is a penetration test if changes are made to a network’s infrastructure or applications, end user policies, or an office’s physical location.
Is there an alternative to a penetration test?
It’s strongly advisable for large organisations with complex systems, financial records, personally identifiable information and ransom-able secrets to invest in regular penetration testing. However, there is an undeniable place in proactive defence training for vulnerability scans.
A vulnerability scan is an examination of your IT system to detect any flaws or gaps in security. It is an analytical snapshot designed to reveal any weaknesses that an attacker may exploit but it stops short of the comprehensive stress test of each vulnerability that a pen test would include.
Naturally, this less thorough and software led option is cheaper than in-depth penetration testing by experts, but it is useful, nevertheless.
According to the NCSC you can “think of Vulnerability Scanning as a cheap and cost-effective way of keeping the most common security issues at bay, leaving you time and budget to invest in more focused forms of manual testing.
“Regular penetration tests with comparison to your own vulnerability scan results help to identify any systemic weaknesses in your vulnerability scanning regime.”
With time and budget key concerns for small and medium sized enterprises, undergoing vulnerability scans before continuing to penetration testing may be the option likely to give the maximum benefit.
A note of caution is that the many varieties of vulnerability scan out there are only as competent as the learnings programmed into them. New bugs or complex faults are unlikely to be detected, with vulnerability scans often missing the subtle issues that an experienced pen tester might find.
To learn more on the differences between penetration tests and vulnerability assessments read this.
Just as learning how to catch a chicken enhanced Rocky as a boxer, implementing penetration testing for your organisation is a responsible application of proactive defence training.
If you recall, our hero actually lost the headline fight in the first movie but had developed himself sufficiently to remain at the elite level fighting baddies throughout the eponymous series of films.
As such, penetration testing is not a panacea for all the woes of the cyber world, but it demonstrates to board members, shareholders, and customers alike that you’re a serious contender willing to commit to continuous cyber security posture improvement.