What are the benefits and limitations of penetration testing?

Cyber security: A growing concern for all industries

Did you know that global cyber crime costs are expected to grow by 15% per year over the next five years, reaching $13.5 trillion AUD annually by 2025?

That’s obviously quite a startling figure and one that has put cyber security at the forefront of the minds of IT managers and decision-makers across every industry.

One exercise that has risen to the top of the priority list in the fight for security is penetration testing. A penetration test, or pen test for short, is also known as “ethical hacking”. It’s seen by many as a silver bullet for more secure IT system and infrastructure, but we’re here to dispel that myth. We’ll quickly run you through what penetration testing actually does to give you an outline of where it offers value and where it is limited to uplifting cyber security as a whole.

When a company wants to know more about the security of their IT, they engage someone like Interactive to initiate penetration testing. The point of the test is to figure out security weaknesses and vulnerabilities before a hacker can expose them and access your data. These tests safely replicate what a hacker would do depending on how much prior information they have been able to obtain.

There are three different approaches to performing penetration tests:

Black Box

Also known as a “Blind Test”, this is considered to be the most accurate form of testing as it closely represents a real-world scenario, where the hacker has no prior knowledge of the target in the organisation’s environment, apart from what the target is.

Grey Box

Grey box testing simulates the experience of a hacker who has already obtained some details about the internal workings of the organisation. The hacker would then use that information and take logical steps to uncover vulnerabilities which they hope will lead them to sensitive data and opportunities to then exfiltrate that data.

White Box

Also known as Tandem or Crystal Box testing, this approach is akin to performing an in-depth technical audit against the target. The tester is provided full details about the environment, such as system configurations, source code, and architectural network diagrams. White box testing also simulates a real-world scenario where the attacker has already breached the perimeter and has already gained access to this information.

When a company is launching a new application, website, product, or service, we recommend they engage with a service provider to conduct a penetration test to do a final sweep for vulnerabilities before it goes live to the world. Within a day of going public, hackers could be scanning for vulnerabilities and have an unlimited amount of time to try to find holes to break in and steal data. Similar to building a house, once reaching “lock-up stage”, it’s in your best interest to make sure the doors and windows are, indeed, locked.

The report should provide step-by-step guidance on how to rectify these vulnerabilities and, as part of the service, the penetration tester should retest any vulnerabilities after they have been fixed to ensure they can no longer be exploited.

Limitations of penetration testing

Interactive recommends a holistic, sustainable approach to cyber security based on continuous improvement and prioritising effort to address the key cyber risks. Penetration testing is just a point-in-time, detective exercise – an important activity, but is only one activity.

Other cyber security services that use an ongoing approach include a Cyber Security Operations Centre, which provides ongoing detection and response capabilities, with 24/7 “eyes on the glass” event monitoring, analysis and response, and Managed Detection and Response services which use deep insights into the end-point operating system, application and user behaviours to search for known(signature) and unknown (zero-day) threats.

Penetration testing will not help you with email threats like phishing, whereas an Email Threat Protection (ETP) service coupled with ongoing awareness sessions targeted at the “first and last line of defence” (i.e. staff and contractors) will assist reduce the risk of falling victim to a phishing attack.

Cyber security is an issue for the entire organisation, not just IT. Boards and senior stakeholders need to understand and take due diligence and governance over cyber risks. Penetration testing results are technical in nature and are written for software developers and IT managers to fix vulnerabilities. Interactive’s Cyber Risk Assessment and Security Management Services, include regular cyber security maturity reviews, supply chain risk management, and internal audits which produce reports that can be consumed by the Board and other senior stakeholders to make better decisions on how the organisation can combat cyber risks.

Is there a complete solution for cyber security?

Penetration testing is not a comprehensive solution for cyber security.

However, it gets talked about a lot because it sounds exciting, like hackers in hoodies in a dark room with a dozen monitors and electronic music in the background, compared with an auditor in a grey knitted jumper with a compendium taking notes and writing reports. It’s definitely a more exciting way to help customers by “standing between them and their adversaries”, but it’s a point-in-time solution and one piece of the puzzle that makes up a full cyber security solution.

That puzzle is complex. You really need to consider things like board oversight, cyber risk management, supply chain risk, policies and procedures, awareness and training, IT best practices, incident management, patching, business continuity plans, and more. We know it is overwhelming and this is where we can help.

If you need a penetration test or help with your overall cyber security needs, talk to one of our experts.