Cyber attacks are easy to conduct. Botnets can be hired cheaply, hacking software is readily available, and even those without technical or practical knowledge can purchase attacks as a service. For the organisations that are hit, however, it’s a different story. Their systems can be crippled by attacks and they can face large fines and long-term reputational damage.
Since the introduction of the EU GDPR (General Data Protection Regulation), we regularly hear about data breaches, with organisations such as Eir and Cork City Council’s Park by Phone service – to name but a few – suffering at the hands of criminal hackers.
One way organisations can reduce the risk of a breach is to invest in their defences to mitigate the threat of attacks.
That’s where penetration testing comes in. It’s essentially a controlled form of hacking in which a professional penetration tester, working on behalf of an organisation, uses the same techniques as a criminal hacker to search for vulnerabilities in the company’s networks or applications.
Penetration testing is widely acknowledged as an important part of cyber security. It can help organisations assess their security programme, test new applications or significant changes to business processes and meet regulatory standards such as the PCI DSS (Payment Card Industry Data Security Standard) and ISO 27001.
Broadly speaking, there are four types of penetration test, each focusing on a particular aspect of an organisation’s logical perimeter.
The objective of network penetration testing is to identify security vulnerabilities in how an organisation connects with the Internet and other external systems. This includes servers, hosts, devices and network services.
If an organisation’s interfaces aren’t designed correctly, criminals will be able to enter the network and perform malicious activities.
Common network security issues include:
- Unpatched operating systems, applications and server management systems;
- Misconfigured software, firewalls and operating systems; and
- Unused or insecure network protocols.
If the network penetration test identifies any of these problems, organisations can fix the issues relatively simply – whether that’s installing the appropriate patches, reconfiguring the software, firewall or operating system, or putting in place a more secure network protocol.
The objective of web application penetration testing is to identify security issues resulting from insecure development practices in the design, coding and publishing of software. Applications are a vital business function for many organisations, being used to process payment card data, sensitive personal data or proprietary data.
Common website and web application security issues include:
- Potential for injection (the lack of validation allows attackers to control the user’s browser);
- Privilege escalation (users have access to more parts of the site or application than they should); and
- Cross-site scripting (the application takes untrusted data and sends it to a web browser without proper validation).
If the web application penetration test identifies any of these problems, organisations should adjust their processes to keep untrusted data separate from commands and queries, develop strong authentication and session management controls and separate untrusted data from active browser content.
The objective of wireless penetration testing is to detect access points and rogue devices in an organisation’s secured environment.
Common wireless security issues include:
- Rogue or open access points;
- Misconfigured or accidentally duplicated wireless networks; and
- Insecure wireless encryption standards, such as WEP (Wired Equivalent Privacy).
If the wireless network penetration test identifies any of these problems, organisations should find the open access point (wardriving) and disable it, adjust security settings and update the wireless protocol to the industry-accepted protocol WPA2 (Wi-Fi Protected Access II).
The objective of phishing and social engineering penetration testing is to assess employees’ susceptibility to breaking security rules or giving access to sensitive information.
Common social engineering issues include:
- Susceptibility to phishing emails;
- Willingness to hand over sensitive information to people without knowing who they are; and
- Giving people physical access to a restricted part of the organisation.
If the penetration tester is able to exploit any of these vulnerabilities, organisations should invest in staff awareness training to help them understand how social engineering attacks work and how they can avoid falling victim.
Find out more about penetration testing
If you want to learn more about which type of penetration test can help secure your organisation and how we conduct our tests, please contact our penetration team.