Security testing is a type of testing aimed at reviewing the security of everything from systems, networks, and code, to cloud environments and physical installations. One of the most common types of security testing is called penetration testing – a type of digital burglary test where you hire security experts and task them with attempting to break into your systems in order to detect vulnerabilities and potential attack vectors. Once the test is completed, you get a report detailing the vulnerabilities detected and why they pose a risk, along with advice on how to rectify them.
Security testing can help you gain an overview of the vulnerabilities within your organisation and the risks to which you are exposed. By systematically reviewing your systems, looking for weaknesses and possible entry points, a security test will reveal both weaknesses that could pose a substantial risk to you here and now, and areas where you should focus in the longer term in order to reduce your attack vectors as efficiently as possible.
Let the good guys hack you before the bad ones do
When our cyber security experts at Iver perform a security test, they look at your environment from the same perspective as an attacker, and use the same tools and techniques as those used in real cyberattacks. Which means you find out how well equipped your systems and applications are to repel real attacks. The idea is, quite simply, to let the good guys hack you before the bad ones do.
Before security testing can commence, we need to clarify the Rules of Engagement – namely the rules of conduct and directives given to the testers, and which define the circumstances, terms and conditions, and methods that can be used when performing the test. We also need to decide what is to be tested and the duration of the test – and when it will be completed.
Do we have permission to use all means during the test that a real malicious actor might conceivably use, including social manipulation of employees? It’s important to decide this before this type of test begins in order to ensure both that our testing is asking the questions you actually want answered, and that the test doesn’t have a negative effect on confidence internally.
The actual security test is then performed systematically, based on a risk matrix. The risk matrix takes into account the probability of something occurring, and how serious the consequences would be if it did. We start, naturally, with the vulnerabilities with a high probability and high impact – and then carry on working systematically on the basis of degree of severity.
The vulnerabilities revealed during the test are collated in a security report. This report details extant attack vectors, explains why they pose a risk, and offers advice on what you need to do to rectify them.
Security testing is a time-limited service and the result is a security report. The report includes a number of sections of practical use within your organisation:
The report starts with a non-technical summary of the testing – an “executive summary” – which is aimed at management and other decision-makers. This section reviews the security test’s goals, provides an overview of the test’s most important and most common findings, and highlights which defence mechanisms worked well.
The summary is designed to give decision-makers sufficient information to make well-supported choices, without going into the technical details, so that he or she can allocate time and resources where they are most needed.
The report also includes a more technical summary of the vulnerabilities, ranked by degree of severity, in the “Vulnerability Highlights" section. This section is aimed at those managers who are responsible for following up on the engagement. It provides a short description of the most important findings and summarises general technical problems. The aim of the summary is to provide a more detailed introduction to the test’s findings, but to nonetheless be short and concise so that managers can communicate quickly with their teams and prioritise tasks correctly.
Finally, we get to the largest section of the report – the technical review of all the test findings. This section addresses every finding in detail – what it is, where they are, and why it’s a problem, and offers advice on how you can rectify the problem. It also includes instructions on how you can replicate the problem so that you have all the information you need to plug the hole identified. Where relevant, it provides both short-term and long-term advice on remedial measures so that you can not only implement rapid and effective measures to secure as much as possible in the shortest possible time, but can simultaneously put in place a strategy for the long-term, holistic improvement of your security.
This section is aimed at the technical resources responsible for following up on the results and actioning the weaknesses, and should give the reader all the technical information they need to fix the problem. Where necessary, further reading references will be added to enable the reader to understand both the weaknesses and the solutions as quickly as possible and get started on implementing the solutions.
Security testing can be used as a tool in a number of scenarios:
Creating an overview of the risks associated with your systems and services, of how they pose a threat to you and your operations, and by then actioning vulnerabilities, you can stay one step ahead of cyber attackers and minimise your attack vectors.
Would you like to know more about how Iver can help you with this?Contact us via the form below.