Penetration testing means hiring security experts to carry out simulated attacks on a network or computer system, exposing security weaknesses that a genuine attacker could exploit.
The losses resulting from computer outages during the 2017 WannaCry cyber attack were estimated to be in the range of $4 billion. With attackers constantly finding new ways to exploit computers and networks, cyber controls such as penetration testing are vital for a number of reasons.
- Penetration tests can expose security teams to the experience of a real-life network intrusion. A good penetration test is like a fire-drill—security teams should not know when it’s coming. Businesses can recruit skilled security experts or “white hat hackers” for effective penetration tests to see how security personnel react.
- Penetration tests reveal particularly vulnerable areas of applications, security systems, and networks. Skilled hackers can typically think outside the box, revealing hardware and software flaws that the security team overlooked. Penetration test results can pave the way for an improvement to the entire security infrastructure.
- Penetration tests can discover new bugs created by changes to existing code, such as when you upgrade your application or software.
The following tips highlight some of the best practices for your security team to keep in mind for effective penetration testing.
Penetration Testing Best Practices
Hire the Best Testers
It’s good practice to put together a penetration testing team composed of individuals who don’t normally work for you. A third-party service can provide expert hackers who will better resemble how genuine intruders attempt to gain access to your network.
Encourage Communication between Testers and Developers
Penetration tests involve leveraging the skills of knowledgeable hackers who can find security flaws that lead to future improvement in your network. A big mistake is simply recruiting the testers to carry out the test and nothing else.
Encourage communication in the post-testing period between testers and security/development teams and issues can be fixed more efficiently.
Fix Issues Between Tests
Regular pen tests are a good idea because changes to coding or infrastructure can lead to security vulnerabilities. But there is no point in conducting pen tests if you don’t fix previously identified issues between tests.
Testers will simply find the same vulnerabilities leading to wasted time and resources because you won’t learn anything new.
Create Hacker Profiles
To get the full benefit from pen tests, it’s a good idea to create hacker profiles that reflect how different types of intruders might attempt to attack a computer system in different ways.
For example, you can tell one tester to act like a disgruntled ex-employee, who would attack particular areas, while other testers can be outside individuals with no insight on the company or its security infrastructure.
Incorporate Social Engineering
Social engineering should be incorporated into any good penetration test. Spear phishing, which uses convincing emails from seemingly trusted sources to gain access to computer systems, is a particular problem.
Cyber criminals used social engineering to steal $1 billion from financial institutions worldwide over the course of 2013-2015. A good pen testing team can mimic the way social engineers behave and reveal security weaknesses that are frequently overlooked.
How Threat Intelligence Can Contribute to Penetration Testing
Some penetration testing tools combine threat intelligence and penetration tests for more effective testing. Companies can use the latest threat intelligence to highlight modern cyber risks, indicating particularly common ways to attack computer systems and giving insight on the profiles of modern attackers.
Using threat intelligence caters for a more targeted approach to penetration testing. When you use threat intelligence, you can hire third party testers that understand the mindset of the modern hacker and have knowledge of the relevant threats to computer systems.
Threat intelligence gives a fuller picture of the security practices at your company in relation to modern threats. The result is that you can better mitigate these attacks by incorporating recommendations from intelligence-led pen tests.
Closing Thoughts
- Penetration testing is a great way to learn about your existing security vulnerabilities and the robustness of your security infrastructure.
- Penetration tests should always follow best practices, including hiring expert third-party white hat hackers, encouraging communication between security personnel and testers when tests complete, and incorporating social engineering.
- Threat intelligence can improve the efficacy of pen testing by allowing for a more targeted approach that better reflects modern security threats and hacker profiles.
