We’re often contacted by companies looking for advice on starting information security testing. It can be confusing, there’s so many areas to look at, various attack routes to consider and a host of potential solutions out there.
So, where should you start?
Every company will have unique set of circumstances that dictate what should be tested first, but without such in-depth knowledge, what would be our broad advice?
Firstly, are you in a position to fix the issues?
There will always be actions following a security test, whether it’s your first test or your five hundredth. We’ve never conducted a test that didn’t report any findings or didn’t give any remediation advice to our clients, but exposing vulnerabilities and providing remediation advice is only effective if you can fix the issues highlighted.
It’s not necessary to have a dedicated internal security team to do this, and many companies use external providers, but you need to have something in place to ensure that the vulnerabilities exposed by testing are fixed. Whatever remediations solution you have in place, testing providers should be working with you to ensure that the fixes employed are effective and may even offer a limited retest to provide assurances.
Start your testing on the outside
Your web facing applications and platforms aren’t just available to your customers, clients and suppliers, they are open to malicious attackers as well. Whether it’s your corporate website, a supplier portal, a developer API or your e-commerce platform, web facing applications are often pivotal to your day to day operations and security is therefore vital.
We would consider external penetration testing, such as web app testing and external infrastructure testing, to be the best starting point for any company looking to start information security testing and by doing so you help secure your web facing assets from a myriad of external attack routes.
Protect yourself from the inside
Exploiting external infrastructure and vulnerable web applications isn’t the only way into an organisation. Malicious attackers can also target those with direct access to your company’s internal networks. This could include existing users, whether that be a malicious insider or through the compromise of a user’s account, and potentially even supply chain partners.
Internal testing, which can include internal infrastructure testing and build reviews, are designed to give a view on how attackers could get into internal systems and what they could see or gain access to if they were able to do so.
We would recommend an internal infrastructure test as a second phase of testing, moving on to more specific internal tests based on your individual needs when, and if needed.
Consider the wider security implications
The penetration test examples above are designed to investigate a defined area or technology, and testers will look to expose as many vulnerabilities as possible within the set scope.
However, what this type of testing can’t tell you is how vulnerabilities might be used as part of a wider attack chain. To gain a full picture of your wider security posture you need to simulate the actions of a real cyber-attack. This is where a red team engagement can be useful.
Red teaming usually starts with a simple question; what’s critical to the operation of your organisation? For some this could be intellectual property (IP), for others it could be financial data. Maybe it’s the source code being developed for a big client, patient information, your production systems, the servers running internal operations, or it could be your e-commerce website.
This critical asset/information is often used to set the goal of a red team engagement and consultants will then use any route available, within the set scope, to gain access to this. Essentially, red teaming allows you to find out if it is possible for an attacker to can gain access to your company’s crown jewels and what routes they took.
This type of test is used less frequently but is ideal for those that have already conducted some previous penetration testing or feel their defences are able to be put to a wider test.
Don’t let testing be a one-off exercise
Conducting a one-off security test is not a guarantee that your organisation is protected. Attackers have a variety of avenues available to them and testing can only provide assurances against the systems under review, as well as against known issues at the time of the test.
An internal culture of continuous security improvement is extremely beneficial and will help improve your security posture, but when it comes to testing, you can’t test everything every day.
Test providers can help with this and should be able to suggest several different options to ensure you’re making the most effective use of resources, as well as provide you with a suggested road map for future work based on your needs.