It is estimated that 90% of the world’s data was created in the last two years and that its volume doubles in size every two years. Organizations rely heavily on technology to store, process, and transmit sensitive data. This data can include everything from financial information to personally identifiable information (PII). With such a goldmine right in front of them, cybercriminals don’t stay idle and lurk in the shadows trying their luck. In that respect, businesses have to be extra vigilant and redouble their efforts to protect their assets. Wim Remes, Managing Director at Damovo Services Security EMEA, explained us why penetration testing is an essential component of the cybersecurity strategy of today's organizations and how they can benefit from it.

What is penetration testing, actually?

WR: “Penetration testing, also known as pen testing or ethical hacking, refers to a way of identifying and mitigating vulnerabilities before they are exploitable. This involves a benevolent party’s authorized simulated attack to evaluate the security of a system. In my opinion, there are 3 different penetration testing fields: infrastructure penetration testing, application testing and hardware penetration testing. Infrastructure penetration tests are generally called ‘Network Penetration Test’ due to the infrastructure being based on a network. This test tries to abuse anything that is exposed to the attacker to infiltrate the network and gain control over it. Application testing focuses on gaining access to an app to put the user at risk or to realize things technically not allowed from within the app. The third field is smaller than the other two but nonetheless very interesting because it refers to any device you might want to break into, whether it’s a phone, a wireless speaker or even a pacemaker.”

“Across these three categories, the question you are trying to ask is ‘What can a skilled adversary do against my targets and in which time?’. The very purpose of a pen test is to show if your controls protect sufficiently against vulnerabilities.”

What should I expect from a penetration test?

WR: “There are three points to look for when performing a pen test. The first one is the technical description from the penetration testing team. You want to know what they found and how you can remediate it. A penetration test isn’t only about highlighting your weaknesses, it needs to include specific recommendations about how you can efficiently mitigate the vulnerabilities that were found. Since the boards and executive management are liable in regards of the cybersecurity aspects, the second thing you want is a facilitated communication. The penetration testing team not only has to be technically skilled, but they also need the capacity to translate it to an executive board level audience. Finally, the last thing - something I deem CISOs can definitely benefit from - is to understand that all security knowledge can’t be captured within their team. It’s impossible to hire sufficient resources to cover all aspects of cybersecurity.”

How to deal with the results?

WR: “The findings have to be sorted one way or another. The method the most commonly used by penetration testing companies is the CVSS scoring – Common Vulnerability Scoring System. However, the most important part lies in the interpretation of the results. The way you score and deal with those vulnerabilities should reflect the context of your organization and what matters the most in that same context. It’s also important to compare the results between pen tests to see if some vulnerabilities you had already taken care of in the past keep coming back.”

Can I do it myself or do I need consultants?

WR: “There are automated tools nowadays that allow you to perform certain levels of penetration testing yourself. Nevertheless, you must keep in mind that it is a very skilled practice that requires specialists informed about the current ways threat actors behave and their best practices but also involves creating and updating tools to be ahead of the defense. For these reasons, it is really expensive to simulate within your organization by yourself. When it comes to mimicking threat actors, the majority of companies don’t possess the risk profile.”

What about the compliance aspect?

WR: “A lot of organizations realize a pen test because it’s required by the compliance framework, which is a valid driver, but the output shouldn’t only be to check a box and fulfill a criterion. You can only defend something properly if you understand your attacker. Every penetration test represents a learning moment for your organization, technical team and management about the way you should behave and what you need in order to fully protect your assets. Even if you realize a penetration test only for the compliance aspect, ensure that you work with a partner capable of importing and giving valuable knowledge to your internal audience.”

“In addition, make sure that during the process, the penetration testers can have enough time to connect with your IT architecture or application development teams so they can benefit from them to work and improve their knowledge and their defenses.”