Is your organization secure from a cyber-attack? Unless you’ve done some thorough research, you may not be able to answer that question confidently. Knowing the strength of your security program is paramount in protecting your data, and your clients’ information!
Penetration testing is one of the most effective ways to ensure your business is prepared against an attack. Testing for both external and internal threats can help protect your company and give you some peace of mind. Knowing where your vulnerabilities are will help you secure your network, and knowing which tests are right for your organization is a good first step.
What is Penetration Testing?
Penetration testing, often called “Pen Testing”, is done by a cybersecurity expert who tries to infiltrate an organization’s systems using a series of tests. The goal is to try and find vulnerabilities in the security protocol that could be used by criminals.
There are two steps to a “typical” Pen Testing process: external and internal. Each one offers unique insight into the security strength of your organization. Taking the time to understand what they involve and offer your company can help you prepare for the process.
External Pen Testing
External Penetration Testing is the practice of testing security programs through external access. That includes anything that has a public facing service or IP or URL. This could be a web application,firewall, server or IoT device. Depending on the motivation of the attacker, they could utilize a vulnerability or chain vulnerabilities in order to gain access to sensitive data. In various parts of the internet, zero day (0-day) exploits are often sold or exchanged for these purposes.
The goal of External Pen Testing is to find those vulnerabilities a threat actor may use to get into your company’s network to steal valuable information from within your company.
External Pen Testing Methods:
- IDS/IPS Testing
- Segmentation Testing
- Manual Testing Identified Vulnerabilities
- System Screening/Port Screening/Service Scanning for Vulnerabilities
- Checking Public Information for Leakages
- Foot-printing/Banner Grabbing
- Open Source Intelligence (OSINT) reconnaissance
- PCI, HIPPA and other compliance-based testing
The tester may also try to gain access to external facing assets such as email, file shares, or websites.
During testing, the assessor will gather information on all assets within the scope of the test. That includes open ports, vulnerabilities, and other information about the company’s users. This can then be used for various attacks such as: brute forcing passwords, phishing attacks, precise operating system and service attacks.
The External Pen Test should reveal any areas that may be compromised and exploited to gain access to your network. This should also be utilized as an opportunity for clients to verify their current process for detecting anomalous activity. Once a perimeter is breached, testing depending on the rules of engagement, further attacks could be used to gain access to internal network assets, often referred to as pivoting or lateral movement.
Internal Pen Testing
Most organizations focus on the perimeter as far as security goes. Unfortunately, those with direct access to an organizations data pose the most significant threat overall. People are often easily manipulated and prone to mistakes (we are all human). Many times, what happens at the host level goes unmonitored and many organizations aren’t aware of what is entering or leaving their networks. Common misconfigurations are still seen to this day that often lead to full network compromise.
Internal Pen Testing is very important and can encompass many things. For those working from home that may be private networks such as home WIFI, cell phones, cable, streaming services, and the list goes on. All of these can be connected to each other. The threat comes from opening networks to external threats with one of these channels.
The office has potential internal threats, as well. The same systems in place at home can often be found at the office; such as phones, internet networks, and more. Also, if your business has a file sharing system that several employees have access to, and do not require a password, you may want to re-evaluate who is allowed to see the various levels of content. Not every employee needs access to the same data, and unnecessary access could leave you vulnerable to an attack. Not all employees have the interest of your company at heart and could be motivated by financial, vindictive or other means to cause harm to the network or overall company image.
A threat actor who is able to get in through one of these channels can then move about and gather private data by just observing from within. It may not always be an immediate attack. In fact, they may collect data to use later or sell to others. This could go undetected for weeks, months or longer if proper internal auditing, patching and testing is not performed on a regular basis.
During Internal Pen Testing the assessor is trying to find out just how much damage could be done by a threat actor or employee from the inside of the network. A poorly secured domain could lead to total control of a network, but most tests require multiple attack paths to complete the objective. This is often accomplished due to relaxed policies that focus on convenience rather than necessary mitigations.
Once the Pen Tester can access the internal system, the tester will sometimes move laterally within the organization’s system. The goal is to see how much of the internal network is vulnerable if an attacker were to gain access. Internal Pen Testing can also include privilege escalation, malware spreading, information leakage, and other malicious activities.
The tester will often use less important systems, that are easier to access, as a channel to get through to the more secure areas with higher levels of protection. This is typically where sensitive data or controls will be.
Internal Pen Testing Can Include Using:
- WIFI Networks
- Computer Systems
- Mobile devices
- Physical access
Internal Pen Testing is important, even if your External Pen Testing seemed secure. Threat actors may still be able to infiltrate your system. There could also be attacks from individuals from inside your organization. Knowing all levels of your security system will help you prepare and prevent a breach.
External vs. Internal: What’s Right for You?
Trying to decide the right security path for your business is not always simple. When it comes to Penetration Testing, knowledge really is power. Being able to know areas of strength and weakness can help better prepare you for possible threats. Whether it’s preventing an outside attack from an external threat, or an internal issue that could put your company in jeopardy, there are ways to know what you’re ready to handle.
There isn’t a “standard” penetration test for every organization, everyone is different. No matter how large or small your organization is, Pratum can customize a solution that provides value to your organization. If you feel budgetary constraints are an issue for you, talk to one of our experts and you’d be surprised as to what you still can do.
If you’re interested in seeking a third-party expert to conduct Penetration Testing, or just discuss your options, be sure to reach out to a Pratum consultant now.