A vulnerability is a flaw or weakness in a system that, if exploited, would allow a user to gain unauthorized access to conduct an attack. Vulnerability management is the process of identifying, prioritizing, mitigating, and reporting on vulnerabilities to proactively reduce your cyber risk.
The first step of that process, identifying, is where vulnerability assessments become a necessary tool. A vulnerability assessment is a systematic review of security weaknesses in your environment. It largely depends on vulnerability scanning but may also include reviewing things like your policies and processes for human and operational vulnerabilities. Vulnerability scanning is an automated process and therefore relies on the tools that you’ve put in place.
The problem with vulnerability scanning, though undeniably useful, is that it doesn’t provide a comprehensive picture. Often, scanning can produce false negatives and positives. This can lead to vulnerability fatigue and wasted time on non-issues. Vulnerability scanning technology today has advanced to providing suggested remediations and ratings on the severity of the vulnerability, but it is still lacking in context. You may have other controls in place that minimize the impact of a higher severity vulnerability, or the vulnerability may only be present in one location that is not actively in use or does not contain sensitive data. Vulnerability scanning does a great job of alerting you to things that may need to be fixed, but in order to truly prioritize your work based on real-world risk, you need penetration testing.
Penetration testing goes beyond scanning to conduct a simulation of an attack. Pen testers find and attempt to exploit weaknesses to provide much-needed context as to which vulnerabilities pose an actual threat to business operations. Just like there are different types of vulnerability scanning, there are also different types of penetration testing for the different aspects of your environment.
Types of Penetration Testing
External Network Penetration Testing: In this test, the tester will attempt to gain access to your network through external-facing assets to test the strength of your perimeter. This is usually done using what is known as black box testing, where the tester is given no prior information about the target. They’ll begin by doing reconnaissance to find compromised credentials from past breaches, domains and subdomains, login portals, emails and usernames, and the types of technology that you’re using. This simulates a real-world attack in which the attacker won’t have inside information but will attempt to use open-source information and password spraying or credential stuffing to brute force login.
They’ll also look for ways to breach your firewall or exploit open ports. Network pen testers may conduct FTP/SMTP-based attacks, router attacks, DNS level attacks, proxy server attacks, or IPS/IDS evasion attacks looking for any possible way that attackers could gain access to your network.
Internal Network Penetration Testing: In this test, the tester poses as a disgruntled employee or an attacker who has already gained access to the network. This type of testing will generally be done as gray box testing, in which the simulated attacker is provided limited access. They’re given information such as login credentials to simulate how an attacker who has gained access to the network may be able to escalate privileges and move laterally to gain access to additional resources. They’ll also look at things like session management, data handling, and business logic.
Application Penetration Testing: The rapid application development lifecycle, increased API usage, and reliance on third-party code libraries have made applications extremely vulnerable. Application penetration testing specifically attempts to exploit common application vulnerabilities such as code injection, broken authorization, cross-site scripting, and insecure deserialization. This may be done as a black box test where no prior information is given, and the attacker attempts to gain access. However, application testing can also include white box testing components. In a white box test, the pen testers are provided information about the system, including high-level credentials, network maps, and source code. White box testing is a comprehensive review that looks for all types of security weaknesses that could be exploited.
Social Engineering Penetration Testing: Social engineering scams such as phishing are a huge vulnerability and can’t be detected with a vulnerability scan. Conducting test social engineering scam tests will uncover which employees may pose a risk so they can receive remedial security awareness training.
Cloud Penetration Testing: According to Fortinet’s 2021 Cloud Security Report, 71% of organizations are pursuing a hybrid or multi-cloud strategy. While moving services to the cloud has numerous benefits, it can also increase your security risks and make it more difficult to detect vulnerabilities. Before conducting any penetration testing in the cloud, familiarize yourself with what types of penetration testing your cloud service provider (CSP) allows. Things like network stress testing and DDoS simulations are subject to CSP guidelines, and you may need approval before conducting these types of tests. The CSP will differentiate between user-operated services and vendor-operated services. You’ll have more pen testing freedom in your infrastructure-as-a-service environments than you would in a software-as-a-service offering, where you do not own the application. Your CSP doesn’t want your testing to impact their other customers or themselves. Some things that a cloud penetration test might look for would include insecure APIs, misconfigurations, bad access control, outdated software, and insecure coding practices.
When to Use Penetration Testing
Penetration testing is a tool that can be used in conjunction with vulnerability scanning to paint a more complete picture of your vulnerability landscape. You’ll likely be conducting vulnerability scanning more often than penetration testing as it is generally less expensive and is an automated process, as opposed to a penetration test which is extremely manual and requires the time and resources of skilled professionals. With the right tools, you can integrate vulnerability scanning into the CI/CD pipeline to help remediate vulnerabilities as they arise.
Penetration testing should certainly be conducted before deployment, but for companies with limited budgets, penetration testing may be most valuable after most of the significant changes have been made, as opposed to early in the development process. However, just like vulnerability scanning, penetration testing should not be a one-time occurrence. Depending on the budget you have available to you, you should be conducting pen testing at least once a year, with larger enterprises conducting more frequent testing because of the scope of their environment.
Keep in mind that the cost of your penetration test will vary depending on the type of test and the scope of the test, with prices anywhere from $4,000 to $100,000. There are different approaches for deciding what to test. Some organizations opt for a network perimeter test to focus broadly on internet-facing services that they see as posing the biggest risk. As cloud use and remote work increase, however, some organizations are choosing instead to approach pen testing from the individual asset/project perspective, building pen testing into the budget of their projects, as opposed to the security budget overall.
Another time a penetration test may be conducted is when you want to demonstrate good cybersecurity posture. Cyber insurers will see regular penetration testing as something that will lower your risk because you are more likely to find and address vulnerabilities, which can help you lower your premium. You should come away from your penetration test with a report that will help you in your remediation and can serve as documentation of sound vulnerability management practices.
Not sure where to start with penetration testing? RH-ISAC members have exclusive access to Member Exchange, our community discussion platform where retail and hospitality cybersecurity professionals collaborate and exchange knowledge. Check out RFIs on pen testing scope of work and recommendations for pen testing vendors. Visit the RH-ISAC website to see how RH-ISAC membership can benefit you.