Nick Rafferty, Chief Operating Officer at SureCloud, explores penetration testing.
10 years ago, Penetration Testing was viewed as a luxury service, typically aimed at ensuring that companies’ network perimeters were secured against malicious external attacks. The majority of organisations doing this type of test would extend the service to their internal networks, so they could establish how far an external attacker would get if they breached the perimeter, and also to ensure they understood the level of protection against any insider threats.
The tests were typically conducted once per year, with the time in between tests spent wading through the output – most likely PDF documents – to extract the key findings and turn them into operational activities aimed at rectifying the issues that were discovered.
More recently, we have seen the emergence of vulnerability scanning software, an automated way to perform more frequent vulnerability testing, but not to the level of rigour the company would receive from a penetration test performed by a security expert. These automated scans were seen as a major step forward in security assurance, with the penetration test providing the ‘rigour and depth’ of human testers and the vulnerability scanning being seen as the ‘frequency and breadth’ that automation could deliver.
The commonality across the vulnerability scanning providers was that they all had a management capability which would deliver the output in the form of interactive reports, and automate the remediation process. So for a number of years we were left with the scenario whereby the company would be penetration testing annually, and vulnerability scanning on a monthly or bi-monthly basis.
More testing times
But if we look at how the security landscape has evolved over the last 1-3 years alone, we can see significant shifts:
- It’s no longer just about network security; in fact most networks are pretty well locked down these days. Application-level vulnerabilities are far more prevalent, which is quite obvious when we look at the speed of change within the online world. Websites and web apps are continually being released and updated to keep up with the latest technology and user experience trends, and mobile offerings add further complexity.
- There are so many freely available tools to ‘automate’ hacking activities that anyone with even minimal technical knowledge can download a piece of software and start hunting for targets.
The author
Nick Rafferty, COO at SureCloud