March 22 2021
The cybersecurity threat against business continues to grow, yet it seems that many organisations are still failing to take the necessary security action. The need to test your systems is no longer just a nice to have, it’s a must, and with GDPR coming into force it’s now essential that companies test their security to the full.
Testing can seem like a daunting prospect and many organisations don’t know where to start, or what to look for. In this page we will:
- Explain the importance of testing
- Show you how to overcome the potential barriers
- Advise you what to look for in a cybersecurity company and,
- Outline the types of test available to you.
The importance of testing cybersecurity
No company is ever fully secure, but by putting robust security measures in place you deter all but the most skilled and determined attackers. However, even with these measures in place it’s important that you test your security on a regular basis.
In this section we outline just some of the reasons why testing is so important and why companies need to be taking the issue seriously.
- Protecting your critical assets
For some businesses their website is key; if that goes down then it’s going to mean lost revenue. For others it’s their customer list; without that they have no business. For many it’s all about their intellectual property. Whatever industry you’re in, you’re bound to have some critical business assets.
These critical assets need protecting at all costs and businesses should be taking the necessary action to ensure that these don’t fall into the wrong hands. Testing is the only way to ensure that the measures you have put in place are effective and that your key assets are protected from the outside world.
- The threats are evolving
Threats are evolving at an ever-increasing rate and even if you are 100% safe now, it doesn’t mean you will be tomorrow. Ransomware peaked at 40,000 attacks a day in 2016 with 400,000 variants a day, and things are evolving quicker all time. New exploits are emerging on a regular basis and attackers are learning from successful attacks, building upon them and launching even more powerful variations. The time to react is getting shorter.
Testing on a regular basis is the best way to ensure you are protected against these attack techniques, and companies need to employ a robust testing schedule to ensure they stay on top.
- Putting security theory into practice
Mike Tyson once said that “everyone has a plan until they get punched in the mouth” and the same can be said about cybersecurity. You can have all the processes, plans and techniques in place to deal with a potential attack, but what do you do when it really happens? How does your organisation react?
Testing can help you put this theory to the test; for example, a red team exercise can simulate a real world attack. From this you’ll get a picture of any vulnerabilities your company may have, but you’ll also see if the plans you have put in place are truly effective.
This type of test will also allow you to evaluate your response to varying levels of attack sophistication. Do you detect and respond to simple attacks but fail to pick up a more advanced breach? External testing is your opportunity to test yourself against the best.
The cybersecurity testing options available
Testing isn’t a one size fits all process and there are a number of tests available to suit your needs and business objectives. Your penetration test provider should outline the test options available to you and work with you to find the most appropriate.
In this section we outline the testing options available and discuss the pros and cons of each.
- Vulnerability scan
Conducting a vulnerability scan is the first step to understanding your security situation. It can provide you with a valuable insight into your company’s weaknesses and assess the overall risks you face.
There are a variety of tools available for automated vulnerability scanning — ranging from the simplest port scanners through network vulnerability scanners and then onto application security scanners and database security scanners. A great advantage of automated scanners is that they can be quickly deployed and provide metrics for progress in resolving vulnerabilities. The earlier an issue is addressed, the easier and cheaper it is to fix.
There are limitations however. Basic scanning tools will only protect you from the simplest of attacks, they can only scan against known vulnerabilities and then there’s the issue of false positives. This is where a valid application behaviour can be reported as a vulnerability.
Automated scanners also have issues when new web technologies are introduced. There is typically a lag before the scanner is updated to handle new developments.
- Penetration test
A penetration test, or pen test as it’s known, is a practical assessment used to demonstrate how potential attackers can exploit weaknesses in your IT systems. It’s capable of identifying issues that would not be found by an automated solution, eliminates false positives by utilising advanced manual techniques and requires companies to undertake a more extensive and rigorous process than simple scanning.
In a pen test, specialist consultants replicate the techniques that external malicious parties would use to ‘hack’ a site, application or a network. The only difference being that the security consultant is time-limited in their approach, testers are restricted by the scope set out before any test is undertaken and in-house security teams are usually made aware that someone will be probing their systems.
In terms of problems, pentesting can identify several types of input validation issue (e.g. code injection, SQL injection, and XSS injection), file upload related issues (such as the ability to upload executable files), horizontal privilege vulnerabilities (where one user can access another’s data using techniques such as ‘parameter tampering’) and vertical privilege issues (e.g. where a normal user can access administrative functionality through, for instance, a ‘forced browsing’ vulnerability).
Protecting systems and data is key during the testing process and pentest companies will work with organisations from the beginning of scoping to ensure the most appropriate testing methods are utilised and that all necessary measures are put in place so not to cause any unwarranted downtime or data breach.
At the end of the process a full report will be delivered to the client, vulnerabilities will be explained in detail, ranked in order of severity and recommendations for remediation will be outlined.
- Red team exercise
Red teaming is the most advanced test that a company can employ and is designed to simulate real-world threat actors utilising weaknesses in any aspect of your organisation – including your networks, applications, people, and the physical security of your facilities.
Unlike penetration testing, red teaming is goal-based and testers have a much broader scope in which to attempt to gain access to resources critical to your business. This provides companies with an invaluable opportunity to test their own ability to detect, protect and respond efficiently to an attack.
The only consideration is that of scope, and companies can absolutely adjust the scope of the red teaming so that they’re comfortable with the techniques deployed and levels of access granted, but the more open the scope, the more valuable info they’ll get, and therefore the more secure they’ll be.
- A combination of the three?
The most effective way to provide defence in depth is to utilise all three testing methods. Red teaming can provide you with an overall picture and allow you to ensure your critical resources are secure. Penetration testing can help you uncover vulnerabilities within specific areas, or allow you to test new applications, and vulnerability scans can provide a good overview of security on your less critical applications.