Penetration Testing – DeBunked! – 2/3

Penetration testing CTRL Group

Penetration Testing & Post-Penetration Testing

By the completion of this second blog, you will understand the different types of penetration tests and the best post-penetration testing process.


Penetration Testing

There are many different types of penetration tests, and they all test the security of different infrastructure. It’s important to understand the differences when looking to obtain a penetration test:

  • Website Penetration Testing – Performed against basic websites which do not have a login portal.
  • Web Application Penetration Testing – Web Applications have a login portal and back-end databases storing information for different user accounts. Consequently, this increased complexity has a greater attack surface and is a more intricate Penetration Testing process.
  • Internal Penetration Testing – Performed from within the businesses network against the internal network infrastructure. The purpose of this is to detect any risks that can be exploited by a disgruntled employee, or an attacker that has compromised physical security.
  • Mobile Application Penetration Testing


Post-Penetration Testing

You have a heavy report documenting your companies risks and recommendations. The first and most obvious thing is to develop a remediation plan based from the risks in the report. These must be addressed in order of priority (High Risk to Low Risk).

Now, what must be implemented (if not done so already) is to have the two below Security Processes:

1) Ongoing Penetration Testing – New vulnerabilities are discovered every week. Software that was once fully up-to-date can be fish in a barrel for an attacker tomorrow. The minimum time-frame to conduct penetration testing on a business is once every 12 months. Furthermore, (if you would like to adhere to ISO 27001 Information Security Standard), Security Testing should be carried out for all new and updated infrastructure systems.

2) Security Operations Centre – A SOC team’s goal is to detect, analyse and respond to live cyber security incidents using a combination of technology solutions and strong processes. A SOC is the difference between a Proactive Business vs a Reactive Business, they can catch things early:

-Why did the Finance department plug in an untrusted computer into the network?

-Why is Steve’s email account being accessed at 4am from IP addresses in China?

A reactive business doesn’t have a SOC. They respond to events after they have happened, after an attacker has encrypted every single file and demands some Bitcoin, or after customer information has leaked onto the internet and there is now irreversible reputational damage.

 

Conclusion:

Understanding the types of penetration testing which can be performed will help is necessary in better understanding a businesses security posture.

Continuous Penetration Testing will ensure new risks from released vulnerabilities are mitigated.

Utilizing an External SOC provides more affordable financial costs, immediate access to Security Maturity and potentially reduced legal and regulatory risk.