Scott McKellar is currently a Technical Consultant at Mimecast where he has been since early 2019. Scott has been working in the technology industry for fifteen years and is passionate about technology & security. Scott enjoys understanding his customers and prospects often complex business challenges and aligning them with technology to solve problems and add value. Prior to his role at Mimecast, Scott headed up the technology team for an Australian leading Wi-Fi analytics SaaS and IaaS provider; Discovery Technology (a Data#3 company).
Penetration testing: a brief history
How can you best assess and remedy gaps in your cybersecurity? By having an expert try to break in, obviously.
That’s the thinking behind the methodology of penetration testing (pen tests for short), which the Australian Cyber Security Centre explains as “a method of evaluating the security of an ICT system by seeking to identify and exploit vulnerabilities“. It began in the 1960s, when so-called “tiger teams” of specialists were authorised to test the ability of early computer networks to resist attacks. Today, the process continues, with pen tests typically combining an array of automated tests with real-time attacks from “ethical hackers”.
What is penetration testing and why is it important?
Penetration testing today is a big industry, and it has real benefits for cybersecurity practitioners. Tests generally involve:
Attacks on front- and back-end servers and APIs
Testing of web applications’ defences such as firewalls
Testing of weaknesses around passwords and authentication
Penetration tests offer an important audit of common software and hardware vulnerabilities. By using the same methods as cyberattackers, testers can assess how small weaknesses can turn into dangerous access points.
Your security testers will produce confidential reports listing areas for improvement, helping you to assess risks and improve your cybersecurity posture. Tests can also be targeted at particular areas of concern, reassuring stakeholders and meeting compliance requirements. But penetration tests are just one tool, and they aren't designed to assess every cyber risk.
Penetration tests have their blind spots
Sieges from history and legend often feature attackers who did the unexpected – perhaps a crack team of attackers snuck in through tunnels under a castle, or tricked their way inside by hiding in the belly of a wooden horse. In the world of cybersecurity, those cunning attackers are the cybercriminals, always on the lookout for an unexpected new attack point. And the big problem with security pen testing is that it rarely accounts for the unexpected.
Areas that penetration tests might miss include:
old parts of your system that you haven’t touched for years, and may not even be aware of
legacy hardware or software that’s harder for testers to access
areas used for testing that have never been decommissioned
devices that the IT department missed or has never checked
processes and data held on external cloud-based resources
sensitive parts of your system that senior management wish to exclude from testing
These unknown areas form the very surface that cyberattackers will be eager to probe, and can be the source of major data leaks. But unless you point your test squarely at them you may never be aware of them. Since weaknesses are often down to not just one system but the interactions of several, these vulnerabilities may be the source of vulnerabilities across your network.
Why timing is crucial
These blind spots will be even larger if your tests are constrained by time or budget. Pen tests are generally time-limited, with the testing team also having to file a report and supply screenshots, follow a methodology, build an executive summary, etc. Attackers will have no such constraints.
The right timing is vital to penetration tests. Taking a test too early during network deployment may mean missing security issues that only emerge at the end of the process. Some companies may only test every two years, which can offer cyberattackers a huge window of opportunity.
Eager to protect their reputation and bottom line, most companies will seek to avoid outages during pen tests. But if your testers aren’t undertaking tactics such as distributed denial of service (DDoS) attacks that might result in system downtime, you won’t know how robustly your network will deal with them.
Staff and testers are only human
Your organisation’s staff will generally know when a penetration test is imminent, and will inevitably try to ensure that their systems appear as strong as possible. But while that may serve as a periodic company reminder of the importance of cybersecurity, it means that tests rarely mimic real conditions, in which cyberattackers sneak in through the back door without warning.
Penetration testers themselves are only human – which means they'll have their own biases and preferences – but most reputable testers will have systems in place to minimise that factor. Finding the best team for your pen testing can be a struggle, and of course your report will only be as well -written and confidential as the person who put it together. Make the wrong hire, or try to cut corners on budget or time, and you may find yourself let down.
To make matters even more complicated, highly specialised testing teams may be more skilled in certain environments than others. At times, they may need to manually write scripts to work within specific security constraints, or have to use client-approved tools that they’re not familiar with.
Penetration tests can be a valuable tool – but shouldn’t be the only one in your kit
Almost all penetration tests will have gaps or compromises. And the weaknesses they miss may be the opportunity cyberattackers are waiting for.
This doesn’t mean pen tests aren't useful. Regular penetration tests provide a useful audit and a wealth of data, but they’re not a silver bullet. They are just one part of a robust, agile cybersecurity strategy. Your knowledge of your own systems and processes is vital for putting reports in context. Genuine cyber resilience comes from a range of tactics, including keeping tabs on the latest threat developments, undertaking thorough and frequent training and regularly updating your hardware and software.