We recently discussed why credit unions must conduct regular penetration tests. The bulk of that article covered the legal obligations for testing and the ways in which you can comply with those requirements.
However, we didn’t delve into the reason that penetration testing is essential – which we’ll put right here.
How penetration testing helps organisations
Penetration testing is essentially a controlled form of hacking in which a professional tester, working on behalf of an organisation, looks for application and network vulnerabilities in the same way as a criminal hacker would.
A key part of a penetration tester’s job is to understand the methods and tools crooks use to compromise an organisation. After all, the tester isn’t just pointing out vulnerabilities and telling the organisation that they need to fix it; they are showing the organisation exactly how the vulnerability can be exploited.
More often than not, compromises are caused by known vulnerabilities – i.e. established weaknesses that criminals and security experts are aware of. As such, they often conducted with crimeware, which is a type of malware designed specifically to automate cyber crime.
The threat of crimeware
Criminals generally infect organisations with crimeware by exploiting human error or technical vulnerabilities. Let’s take some examples of how this happens.
The first involves a 2016 ransomware attack that tricked millions of people around the globe into opening a compromised Microsoft Word document.
Victims were sent the documents by email and encouraged to enable macros. These are like shortcuts to a set of more complex tasks. A legitimate example might involve hitting a button to automatically alter the way you format text.
However, in this case, the macro ran the Locky ransomware strain and encrypted the users’ files. They were then told to buy a decryptor for between about €165 and €330. ZDNet reports that about two thirds of people met this demand, even though experts generally recommend that victims shouldn’t pay the ransom.
This is an example of human error; the victims shouldn’t have been tricked into opening the document in the first place, but even if they had, they would have had to override a security warning from Microsoft.
Meanwhile, 2017 saw a massive crimeware pandemic caused by a technical error. The malware, dubbed NotPetya (for its similarity to Petya), targeted Windows operating systems, infecting the master boot record to exploit a payload that encrypted the NTFS file.
Researchers initially thought the attack was ransomware, as infected users were given a ransom demand, but this turned out to be a ruse. NotPetya was in fact a wiper, meaning it deleted files and gave users no way of recovering them.
There was nothing victims could do to prevent this attack. If the organisation contained a vulnerability that enabled to malware to worm into its systems, then it was already too late.
Penetration testing is the solution
It’s only by investigating your systems closely that you can stay ahead of cyber criminals and address vulnerabilities before they are the cause of untold damage.
Even small vulnerabilities, which might appear negligible, can be used to infect organisations and create major disruption. In fact, criminals often seek out such openings, as they are more common and can be used to create intrusion sequences that take small, steady efforts to pry open security gaps into much larger weaknesses.
There are several types of test you can perform to identify specific threats. For example, an infrastructure penetration test will assess the resilience of your infrastructure security controls and the ways an attacker might gain unauthorised access. These tests look for holes in your network perimeter, looking at, for example, web servers, firewalls and Wi-Fi.
A social engineering penetration test sends your employees a benign email scam and monitors who falls for the bait. The results help you identify your staff’s vulnerability to social engineering threats, and help form the basis of a staff awareness course to mitigate the threat of future attacks.
IT Governance is a CREST-accredited provider of penetration tests, and we offer a range of services to help organisations of all sizes manage their cyber security strategies.