Data breaches, ransomware attacks, and other cyber security incidents are increasingly making headlines across Australia. The Office of the Australian Information Commissioner reports that they were notified about 396 data breaches between January and June 2022 with healthcare, finance, education, legal, and recruitment organisations being the top targets. Official reports only include those breaches which are detected and then reported by organisations, with a much larger number likely going undetected or unreported.
The incidence of breaches and other cybersecurity issues is a reminder to organisations that security must first and foremost be considered a programme and not a project. A key part of any effective security programme is the need to continually test and validate the efficacy of security controls, policies, and procedures to prevent incidents.
One of the best ways to validate your security controls is through simulated attacks on your systems by authorised ethical hackers, commonly called a Penetration Test. Ethical hackers perform penetration tests using the same techniques and tools as adversaries to identify issues and weaknesses in systems and demonstrate real world business impacts.
Understandably seeking out an organisation to undertake a penetration test might seem like a daunting task, a quick Google search for “Penetration Testing services in Australia” returned me 12.5 million results. Regardless of your company size or industry here are some tips to help you find the right security consultancy and achieve the best results from a penetration testing engagement.
Black, Grey, White box, Red Team – What type of test is right for me?
Depending on your objectives there are many different types of penetration tests. The most commonly known are “black box”, “grey box”, and “white box”. These focus more on the technical elements such as networking and infrastructure, devices, and software applications.
A black box test closely simulates the real world where attackers start with no access or information about the internal environment of the system. A grey box test simulates attackers with some knowledge of the internal environment and the ability to login to the system. Access may be via self-registration to create an account or you may provide login credentials to one or more test accounts. A white box test closely simulates attackers such as malicious insiders with access to and complete knowledge of the environment.
Whilst a black box test might sound more realistic and the least invasive it may also not yield the best results. Remember the goal of a test is to find issues so your organisation is able to address them and prevent them occurring in the future.
My recommendation is to choose a test that aligns with the security maturity of your organisation. For example if your organisation is undertaking its first testing engagement it makes sense to maximise the opportunity to identify as many issues as possible making a white box test likely the most suitable. Another way to look at it is black box testing whilst being more realistic, is not likely to find as many issues as a white box or grey box test as more time will be spent trying to gain access, and learning about the environment; details which would otherwise be provided.
A red team test is commonly recommended for more mature organisations that undertake regular penetration testing and are looking to find additional issues not specifically limited to the technical elements. Red team engagements often include social engineering and physical access elements. A red team engagement can include multiple ethical hackers, over a longer elapsed period of time, and is typically more expensive than the other types of penetration tests.
How to select the right penetration testing company
As with knowing which type of test is best for the goals and maturity of your organisation, selecting the right testing company is equally important. No two penetration tests are the same, and the quality and quantity of findings between penetration tests with an identical scope can vary considerably. When searching and shortlisting security testing companies:
- First, find a trusted advisor. Someone impartial with experience as an ethical hacker, or knowledge about penetration testing that can provide insight and assist you throughout the process.
- Ask for recommendations from your network and also allocate time to do your own research. Having a shortlist of approximately five companies will help ensure adequate coverage during the subsequent evaluation and selection process.
- Meet with the testing companies’ representatives. I consider it a good sign if they bring along one or more of their ethical hackers and they spend time ascertaining what you care about, your testing goals, and highlight areas of risk that you might not had previously considered.
- Ask about their testing methodologies and what tools they use. Specifically you want to know that manual testing is performed in addition to automated testing for business logic, authentication, and authorisation tests. Unfortunately it’s not uncommon to see fully automated tests (essentially vulnerability scans) being passed off as manual penetration tests. If you’re not sure how to validate the answers they provide, consult with your trusted advisor.
- Request they provide their company and ethical hacker certifications, and detail their experience relevant to your industry, regulatory requirements, and type of testing you require. I would suggest looking for organisations that are CREST certified, or ethical hackers who have one or more Offensive Security certifications, or significant demonstrable experience. This helps ensure the company and ethical hackers you select have up-to-date and relevant skills aiding in a better overall result.
- Ask about their quality assurance and reporting process. It’s common for new customers to request an example report and I would recommend doing so. Example reports provide a solid reference by which to understand how findings and recommendations are articulated, as well as the types of tools and methodologies used. Findings should also clearly explain and include all the steps to replicate the issue yourself. Delivery of the final report can also include a meeting where you have the opportunity to ask questions and it’s worth asking if this is included as part of the engagement.
- Ask about their billing and engagement model. Most engagements are time-boxed meaning an ethical hacker is allocated a certain number of hours to complete the test based on the agreed scope, and write the report. Post testing and once you’ve remediated any issues found it is good practise to confirm they’ve been fixed correctly which requires retesting. Not all, but some companies include some retesting time for free. In either case it’s often more cost effective to include and pay for retesting as part of the initial engagement.
Preparing for a Penetration Test
Imagine you’ve been told your house is being targeted by burglars, what would you do? Lock the doors, close the windows, bring in your prized garden ornaments, move valuables to a safe place, install security cameras, and inform the rest of your family too. Preparing your organisation and systems for a penetration test is no different. By performing a few tasks you’ll be better prepared for malicious attackers, and also benefit from not having a penetration test report full of basic issues (commonly called low-hanging fruit) such as “your software is not patched and up to date”. Before undertaking a test:
- Run automated vulnerability scans of your perimeter and internal environments if you know how. Alternatively you can use one of the many freemium cloud based perimeter assessment tools to highlight issues with things that are exposed to the internet. Whichever approach you take, address all the findings.
- Patch everything. Vulnerability scanners are limited at what they can find depending how they’re configured and run so manually updating operating systems, installed software, and network devices also helps limit those low-hanging fruit.
- Backup your environments. Despite best intentions you can never be 100% certain that during a test something wont go awry and result in an outage, system damage, or data destruction. In some cases it might be possible to perform application level testing in a non-production environment yet still test the production network and infrastructure. Your chosen company will be able to advise if this is suitable.
- Enable logging and monitoring where-ever possible. Improving observability in your environment is always beneficial. As security matures in your organisation you will likely become less reactive (responding to reported vulnerabilities) as hopefully there will be fewer issues found, and be more proactive (detecting and responding to potential threats). Penetration tests serve as prime opportunities to develop the required skills to become more proactive. Comparing your detections and logs with the report findings can also highlight potential gaps and blind spots in your environment.
- Inform internal teams and 3rd parties of the penetration testing window, essentially the start and end date of the testing. Security operations staff can then plan accordingly and also organise practising their detection skills. Informing 3rd parties including data center and cloud hosting providers is often a contractual and legal requirement where engagements must be approved before testing can begin.
Achieving the best results from penetration testing
Finally, here are some tips to maximise the return on your investment in penetration testing:
- Ensure access is provisioned for ethical hackers before the scheduled start day. Even in the case of the black box test where no credentials are provided attackers may still require physical access to a building, or connectivity to a specific segment of the network. Significant delays in starting testing reduces the overall time available to dedicate to performing the penetration test.
- For environments using test data, ensure enough data is available for all functions to be tested. Any test environment should be a close approximation of your production system. If testers are required to input and load data this also reduces the available time for testing. Data replication and masking tools are a good option to ensure test environments are populated with representative data, without using actual production system data.
- Provide multiple logins, for different companies and users, and for each role or level of access. This makes it easier to test authentication and authorisation controls and identify privilege escalation issues. As an example if you have user and admin roles belonging to different organisations in your system, four sets of user credentials should be provided.
- Don’t change the environment during testing. It might seem tempting to remediate issues as you discover they’re being exploited by an ethical hacker, especially if you’re practising your incident response skills. By doing this you’re limiting the testers ability to demonstrate the real-world impacts to your business and also provide clear steps to reproduce and fix the issue.
- Provide two points of contact. Ethical hackers are masters at findings vulnerabilities but may not be experts in what you do. Having someone to call to clarify how something works when required can significantly expedite the testing process. Having two contacts helps ensure questions can be answered in a timely manner if one person is unavailable.
- Schedule regular future testing. Penetration tests are point-in-time assessments and there are many benefits to more regular testing. A mixture of smaller tests focussing on specific areas such as functionality you recently built, and full tests focussing on the entire system can reduce the time between when a vulnerability is introduced and when it is discovered.
- Rotate testing providers and ethical hackers between tests. NASA introduced the concept of “common mode of failure” during the space race to prevent similar issues being introduced through identical manufacturing processes. By using different testing providers you’ll be leveraging a wider range of skills and methodologies providing greater assurance.
Penetration testing is something I recommend everyone consider as it’s an excellent way to improve your overall security, organisational maturity, and provide confidence that identified gaps are remediated in a timely manner.
Find Scotti Fletcher on LinkedIn: https://www.linkedin.com/in/scotti-fletcher/