URM is pleased to provide a FREE 30 minute consultation on Transitioning to ISO 27001:2022 for any UK-based organisation. Once an enquiry form has been submitted, we will be in touch to understand the nature of your enquiry and to book a mutually convenient time for a 30-minute consultation slot with one of URM’s specialists.
Maintaining cyber security is of vital importance for all organisations; successful cyber attacks can have devastating consequences, including operational disruption, reputational damage, legal and regulatory penalties, and financial losses. To avoid these consequences, it is essential that you not only implement robust and comprehensive cyber security measures, but also that you test these measures’ efficacy and establish whether any weaknesses exist in your organisation’s IT environment. Penetration testing is perhaps the most effective means of doing so, enabling you to proactively identify and address vulnerabilities before they can be maliciously exploited.
Penetration testing, also known as pen testing, is a form of cyber security test in which a cyber expert conducts a simulated cyber attack on an IT system, network, infrastructure, application, etc., in order to inform improvements to an organisation’s security posture.
Regular penetration testing can assist with compliance/conformance with particular standards and regulations, including with ISO 27001 or the General Data Protection Regulation (GDPR). It is even a mandatory requirement for compliance with some standards, such as the Payment Card Industry Data Security Standard (PCI DSS). Third parties, such as prospective clients, may also request that you perform penetration testing.
A penetration test is a simulated attack of an IT system which has been authorised by the system owner to assess its security posture. A penetration tester will mimic the approach of a genuine threat actor, using the same processes, tools and techniques to identify and exploit system vulnerabilities, and demonstrate the potential impacts on the organisation if a real attack were to occur.
Performing penetration testing on a regular basis is a fundamental pillar of an effective and comprehensive cyber security strategy. Ultimately, the best way to understand how your cyber defences could be improved is by experiencing and learning from an attack; a penetration test provides you with the opportunity to extract these learning benefits without the risks and consequences associated with a genuine attack.
There are a range of penetration tests types available for your organisation to leverage, depending on its unique needs and concerns. The type of pen test will be are defined to a large degree by the aspect of your environment being tested (web or mobile applications, cloud environments, infrastructure and networks, etc.), however they can also be defined by the testing approach (business-led pen testing).
The following are some of the most common types of penetration tests:
A web application penetration test involves an assessment of the architecture, design and configuration of your web applications and application programming interfaces (APIs). Here, the tester will review each page within the tested website to understand if any vulnerabilities exist, such as coding, design and development weaknesses, and attempt to exploit these.
In a mobile application pen test, the tester will evaluate the security posture of mobile apps that are deployed to either Apple iOS or Android devices. These tests are conducted to establish whether any vulnerabilities are present that could enable a malicious user to misuse the application, and prevent it from operating as intended.
In a cloud penetration test, the tester will look for vulnerabilities in an environment hosted by a cloud service provider. This type of testing can cover a range of deployments, including Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP), as well as other cloud deployment models such as individually-managed virtual machines, automated deployments and configuration, cloud services or container solutions.
Infrastructure penetration testing, also known as network penetration testing, involves a tester identifying and exploiting vulnerabilities in your organisation’s network. There are two types of network and infrastructure pen tests to consider:
In an internal network pen test, the tester will be provided with initial, legitimate access to your network that they will then attempt to exploit, allowing you to establish the extent to which a malicious employee/user, or a threat actor posing as one, could negatively impact your organisation.
External network penetration tests, on the other hand, are conducted without any initial access or privileges being provided to the tester, and vulnerabilities are discovered using only external and public-facing assets and information.
Whilst other types of penetration tests are often performed for compliance purposes (i.e., to conform/comply with a standard or regulation, or to meet contractual requirements), URM’s specialised business-led penetration testing is conducted to address any specific issues and risks your organisation faces. In a business-led pen test, the testing scope is defined by your organisation’s unique concerns rather than external requirements, providing you with much greater flexibility in the focus of the test.
URM is able to provide penetration testing services against all assets associated with your organisation, location or service. With our CREST-accreditation to validate the trustworthiness and reliability of our pen testing services, you can engage URM’s highly knowledgeable and practically-skilled team of expert penetration testers to assess any aspect of your organisation’s IT environment.
Get in touch with our penetration testing experts today to find out more.
URM’s penetration testing is always performed in line with proven, industry recognised methodologies, whilst also evolving alongside the latest cutting-edge techniques. There are 5 key stages to most of our penetration tests:
Scope:
Before performing the penetration test, the tester will collaborate with you to define an effective and appropriate scope, which meets your needs and goals.
Reconnaissance and information gathering:
Simulating the approach of a malicious actor, URM’s pen testers gathers as much information as possible about your environment.
Vulnerability identification and analysis:
URM’s tester will identify the vulnerabilities that threaten the security of your organisation’s environment and develop an exploitation strategy, both manually and using the latest automated tools.
Exploitation:
Drawing on their extensive skills and experience, the tester will attempt to exploit the vulnerabilities they have identified in the previous stage to establish how a genuine threat actor could impact your organisation.
Reporting and debrief:
Following completion of the test, URM’s pen tester will detail their findings in a report and provide a debrief meeting at the end of the assessment to help you navigate the remediation process.
Retest:
To further assist with the remediation process, URM will provide a free retest within 30 days of the initial assessment of any critical or high-risk vulnerabilities identified.
URM’s industry-leading penetration testers are committed to delivering high quality, effective penetration testing that enables you to tangibly enhance your security posture. As a CREST-accredited organisation, you can be assured that any pen testing services you receive from URM are fully aligned with globally recognised best practice.
Get in touch with our penetration testing experts today to find out more.
As well as the different testing types, there are a range of testing methods that can be leveraged. These approaches all come with their own set of benefits attached and will all provide you with valuable outputs that can be used to improve your cyber security measures.
External testing establishes the risk to your organisation of an external cyber threat. The tester will attempt to gain access to your environment by exploiting vulnerabilities they have identified on your organisation’s external assets.
Internal pen testing evaluates the risk to your organisation of an internal cyber threat. Here, the tester will start the test with a degree of authorised access (often a low-access user account) that they will then attempt to use to gain further, unauthorised access, and disrupt your environment.
In a blind penetration test, the tester has no prior knowledge of the system(s) they are targeting. For example, they may just be sent the organisation’s website URL, and will attempt to discover and exploit vulnerabilities using only this initial information.
Like blind testing, in a double-blind test the tester is not given any information about the system or organisation before the test, however here the organisation’s staff are also unaware that the test is taking place.
This penetration testing approach focuses on targeting a particular aspect of the target system, such as a specific application or network, rather than testing a system more broadly or an organisation’s entire IT environment.
In a red team vs blue team pen test, the red team takes on the role of an attacker, attempting to circumvent the organisation’s cyber security defences and compromise their system. Meanwhile, the blue team defends against the red team’s attack.
URM has gained a reputation as the preeminent UK provider of live webinars, aimed at delivering valuable and practical insights to organisations looking to improve their information security, risk management, data protection etc. The webinars are delivered by our senior consultants who share hints and tips on topics such as certifying to ISO 27001 and Cyber Essentials, complying with the GDPR. All of our webinars are completely free to attend, and include an opportunity to ask questions at the end.
URM shares its insights, outlining commonly-seen and emerging vulnerabilities and actions you can be taking today.
URM shares its real-life experiences of the different types of tests and trends it is seeing in terms of vulnerabilities across the different types.
Attend the Free Webinar and learn how to maximise the benefits and minimise the drawbacks of conducting penetration (pen) tests
Ideally, the decision on what systems to test should be based on the relevant threat model and the objectives of the test. For example, if your organisation is offering a business solution for your clients in the form of a web application hosted on AWS and you need to provide assurance to your clients that your solution is secure, you may consider testing the web application from an application layer, but also the underlying infrastructure exposed to the Internet. You may also consider performing a configuration review of your AWS environment to obtain assurance that different attack vectors are covered.
Penetration testing tools vary depending on the type of test being conducted, but some of the most commonly-used tools include port scanners, vulnerability scanners, network sniffers, web proxy servers and specific wireless adapters.
Vulnerability scanning is an automated process that identifies potential security vulnerabilities in a system, while penetration testing is a manual process that attempts to exploit the identified vulnerabilities in order to gain access to the system. Vulnerability scans are an excellent way to identify missing patches, vulnerable system configurations and vulnerabilities that can be found in an automated way. However, they lack human intelligence, they lack context, can be prone to false positives and may have adverse effects when testing with high privileges. A penetration test can complement a vulnerability scan by adding the human element. This allows penetration testers to identify vulnerabilities that require an understanding of the context, to chain together multiple vulnerabilities to obtain a higher impact, perform privilege escalation or lateral movement after exploiting a vulnerability to access more data and systems. Penetration tests can help assess the business impact that the organisation may suffer in the event that these vulnerabilities were exploited by a malicious attacker.
The cost of penetration testing can vary according to the scope and complexity of the test. Generally, the cost of a penetration test can range from a few thousand pounds to tens or hundreds or thousands of pounds.
URM’s blog outlines the key steps you can take during and after a penetration test to improve your organisation’s security posture.
URM’s blog discusses how to prevent and mitigate the damage done by ransomware attacks, and how penetration testing can help your organisation avoid them.
URM’s blog discusses how to prevent and mitigate the damage done by ransomware attacks, and how penetration testing can help your organisation avoid them.
URM’s blog discusses the testing, assessments, exercises and reviews you can conduct following a cyber security incident to strengthen your security posture.