Weβre often contacted by companies looking for advice on starting information security testing. It can be confusing, thereβs so many areas to look at, various attack routes to consider and a host of potential solutions out there.Β
So, where should you start?
Every company will have unique set of circumstances that dictate what should be tested first, but without such in-depth knowledge, what would be our broad advice?Β
Firstly, are you in a position to fix the issues?
There will always be actions following a security test, whether itβs your first test or your five hundredth. Weβve never conducted a test that didnβt report any findings or didnβt give any remediation advice to our clients,Β but exposing vulnerabilities and providing remediation advice is only effective if you can fix the issues highlighted.Β
Itβs not necessary to have a dedicated internal security team to do this, and many companies use external providers, but you need to have something in place to ensure that the vulnerabilities exposed by testing are fixed.Β Whatever remediations solution you have in place, testing providers should be working with you to ensure that the fixes employed are effective and may even offer a limited retest to provide assurances.Β
StartΒ your testingΒ on the outside
Your web facing applications and platforms arenβt just available to your customers, clients and suppliers, they are open to malicious attackers as well.Β Whether itβs your corporate website, a supplier portal, a developer API or your e-commerce platform, web facing applications are often pivotal to your day to day operations and security is therefore vital.
We would consider external penetration testing, such as web app testing and external infrastructure testing, to be the best starting point for any company looking to start information security testing and by doing so you helpΒ secureΒ your web facing assets from a myriad ofΒ externalΒ attack routes.Β
Protect yourself from theΒ inside
Exploiting external infrastructure and vulnerable web applications isnβt the only way into anΒ organisation. Malicious attackers can also target those with direct access to your companyβs internal networks. This could include existing users, whether that beΒ aΒ maliciousΒ insider or through the compromise of a userβs account, and potentially even supply chain partners.Β
Internal testing, which can include internal infrastructure testing and build reviews, are designed to give a view on how attackers could get into internal systems and what they couldΒ see or gain access to if they were able to do so.Β
We would recommend an internal infrastructure test as a second phaseΒ of testing, moving on to more specific internal tests based on yourΒ individualΒ needsΒ when,Β and if needed.Β
Consider the widerΒ securityΒ implications
TheΒ penetration testΒ examples above are designed to investigate a defined area or technology, and testers will look toΒ exposeΒ as many vulnerabilities as possible within the set scope.
However, what thisΒ type of testingΒ canβtΒ tellΒ you is how vulnerabilitiesΒ might beΒ usedΒ as part of a wider attackΒ chain.Β To gainΒ a full picture ofΒ your wider security postureΒ you need toΒ simulate the actions of a real cyber-attack.Β This isΒ where aΒ red team engagementΒ can be useful.
Red teamingΒ usually starts with a simple question;Β whatβs critical to the operation of yourΒ organisation? For some this could beΒ intellectual property (IP), for others it could be financial data. Maybe itβs the source codeΒ beingΒ developedΒ for a big client,Β patient information, your production systems, the servers running internal operations, or it could be your e-commerce website.Β
This critical asset/information is often used to set the goal ofΒ aΒ red team engagement and consultants will then use any route available, within the set scope, to gain access to this. Essentially, red teaming allows you to find out if it is possible for an attacker to gain access to your companyβs crown jewels and what routes theyΒ took.Β
This type of test is used less frequently but is ideal for those that have already conducted some previous penetration testing or feel theirΒ defencesΒ are able toΒ be put to a wider test.Β
Donβt let testing be a one-off exercise
Conducting a one-off security test is not a guarantee that yourΒ organisationΒ is protected. Attackers have a variety of avenues available to them and testing can only provide assurances against the systems under review, as well as against known issues at the time of the test.Β
An internal culture of continuous security improvement is extremely beneficial and will help improve yourΒ securityΒ posture, but when it comes to testing, you canβt test everything every day.Β
Test providers can help with this and should be able to suggest several different options to ensure youβre making the most effective use of resources, as well as provide you with a suggested road map for future work based on yourΒ needs.
