With Australia’s recent introduction of a mandatory data breach notification regime, it’s more important than ever to invest in cyber security. If an organisation has grounds to believe that there has been an eligible data breach, it must notify customers and the public. Failure to comply with this new law could result in fines of up to $1.8 million. One of the best ways to protect against potential breaches is through penetration testing, otherwise known as pen testing.
Penetration testing involves testing a computer system network or Web application for vulnerabilities. Any vulnerabilities can be exploited by attackers, resulting in potentially huge breaches of security. As a result, pen testing is an essential component of an organisation’s security program and it should not be overlooked.
Penetration tests can be automated using software or carried out manually. Tests generally begin with gathering information on the organisation, identifying possible weaknesses, attempting to break into the system, and reporting the findings. These kinds of tests are often referred to as ‘white hat’ attacks.
It’s possible for organisations to run pen tests themselves, but it’s often better to employ a third party. Testers can employ a few different strategies and which one an organisation chooses to use will depend on its concerns:
- Targeted testing involves an organisation’s IT team and the penetration testing team working together.
- External testing targets only the externally visible servers and devices, which include domain name servers (DNS) and email servers. The objective is to see if these servers and devices are vulnerable to attack and how deeply a hacker could penetrate them.
- Internal testing gives the tester the same access as an authorised user. This test is used to measure how much damage could potentially be caused by a disgruntled employee.
- Blind testing mimics the actions of a real attacker by heavily restricting the information given to the tester. The more information the tester can gather, the bigger the risk of a data breach occurring.
- Double-blind testing is the most exhaustive test. Nobody is informed about the test, apart from one or two people. The results are unbiased, so it’s very useful for testing a company’s security monitoring and response protocol.
Reporting the results of a penetration test is an essential part of the process. A report should detail any risks or vulnerabilities discovered during the test. It should also provide solutions to these issues. In the final part of a report, a description of the procedure should be included.
Delivering a penetration test report to a client is a crucial step. The most secure way to deliver a report is by electronic distribution using a public key by cryptography. Symmetric encryption using a strong key is another option. But a report should never be sent unencrypted.
If a third party runs the penetration test, their responsibility ends once the report has been handed back to the client. Addressing any discovered risks and vulnerabilities is essential if an organisation wants to protect itself. An IT team should examine the report and deal with the risks in order of priority. The report is also a good means to evaluate how quickly an organisation can respond to security incidents and how efficient current security tools are.
After completing a penetration test, a company might find that they need to change some of their security policies or undergo a complete overhaul. But penetration testing should be considered an ongoing investment, as any modifications can result in new vulnerabilities. Being proactive in relation to cyber-attacks is essential and penetration testing is the best place for organisations to start.