Penetration Testing – why you should test against yourself, but do it properly!

What is penetration testing?

A penetration test, also known as a ‘pen test’, is a simulated cyberattack against your organisation’s system. The objective of a penetration test is to identify vulnerabilities within an organisation and to better understand the impact of those vulnerabilities.

Types of penetration test:
• Internal/external infrastructure pen testing
• Wireless pen testing
• Web application testing
• Mobile application testing
• Build and configuration review
• Social engineering
• Cloud pen testing
• Agile pen testing

Why is pen testing required?

The costs associated with data breaches can have a devastating impact – not just to your business – but they can also affect your customers, who can lose their personal data and money. In order to protect your business and your customers, you need to understand the issues that may be uncovered during a pen test, then rectify them.

A comprehensive penetration test will help you understand the impact of vulnerabilities on your technology, people and processes and provide helpful recommendations on how to mitigate those risks.

Get your priorities straight

The most important aspect to address before any penetration testing is what’s important to your business. Not all companies care about the same things. For example, an online retailer will want to focus on their payment processes and cardholder data, whereas a medical clinic will prioritise their patients’ PHI (protected health information).

There is very little value in the discovery of minor vulnerabilities if it comes at the expense of time spent on discovering issues affecting your most important assets. That is why goal-oriented pen testing is so important to maximise the value of the penetration test.

An effective pen test strategy

It’s critical to spend time scoping the pen testing project in detail. There has been a major shift in the skills required by companies seeking pen test services, as they now realise that a team’s soft skills are just as important as their technical expertise.

As regulatory requirements for penetration tests have increased, organisations are frequently scoping their tests to just get a passing grade. At Securus, we hear many customers saying they already do it, but when you delve a bit deeper, it becomes obvious that they have just ‘ticked the box’ and paid the smallest amount possible to look like they are complying.

A good penetration test is comprehensive and includes the full range of organisational assets. In an ideal world, you should know what the penetration testers are going to find before they find it. Armed with a good understanding of the vulnerabilities present in your system, you can use third-party tests to verify your own expectations.

What a pen test should tell you

The objective of a pen test is to use the findings to improve your organisation’s internal vulnerability assessment and management processes. They typically identify the level of technical risk coming from software and hardware vulnerabilities.

A well-scoped penetration test will tell you if your products and security controls have been configured in accordance with good practice and make sure there are no known vulnerabilities in the tested components, at that time.

Simulated phishing attacks

Phishing attacks are innocent-looking emails, pop-ups, adverts or company communications that tempt you to click so they can install spyware, viruses and other malware on your computer or phone.
Testing the humans in your system is the priority as 91% of all attacks begin with a phishing email to an unsuspecting victim. A simulated phishing test is when an organisation sends fraudulent, malicious-like emails to their employees and assesses their response behaviour.

Simulated phishing emails teach staff how to spot a phishing attack so that they are less likely to fall victim to a real one by clicking on a malicious attachment or URL. They help employees recognise, avoid and report potential threats that can compromise critical business data and systems, including phishing, malware, ransomware and spyware.

Try to make sure each member of staff is receiving a phishing simulation at least once a quarter to help track risk and keep the safety hygiene of the organisation at the forefront.

How to avoid phishing attacks

Here are a few tips to avoid falling victim to a phishing attack.

Be vigilant with emails:
Carefully examine the senders of unsolicited, unexpected or otherwise suspicious communications, such as emails requesting financial transactions. There are many things you can look for that indicate a potential scam, such as spoofed sender addresses or links, impersonalised or poorly written messages with typos, or messages referencing activities (such as orders or shipment notifications) that you didn’t ask for.

Carefully check URL links:
Don’t click on the link(s) provided by any emails, messages, or site notifications that appear suspicious. Before clicking, hover over links to double check if the destination URL is what it’s claiming to be.

Implement a VPN to secure your internet connection:
A VPN encrypts your internet connection and keeps the sites you have visited and the information you share private from would-be attackers. A VPN helps to prevent cybercriminals from intercepting your WiFi traffic over public networks.

Do an online search:
When in doubt, do an online search to further investigate the validity of communications you receive. If it really is a scam, you can often find results showing so. Do your part in spreading awareness of potential phishing scams by reporting them to the companies involved and your IT department.

Use multi-factor authentication:
At least two forms of verification are recommended, such as a password and a security question, before logging into any sensitive accounts. Multi-factor authentication makes it more difficult for cybercriminals to gain access to your accounts. If your password is exposed, your account will remain protected by a second or even third layer of authentication.

Conclusion

A popular saying within the cybersecurity community is that humans are ‘the weakest link’ in IT security. One of the best ways to enhance security protection and avoid being caught in a phishing attack or data breach is to conduct pen testing. You should also train your staff on all the potential risks because education is the first line of defence. Both should be repeated on a regular basis.

Securus has vast experience and knowledge in penetration testing and can guide you on the best ways to prevent cyberattacks. To find out more, call one of our security experts today: 0345 128 3457.