At PRISMA, we value driving change. However, in order to make effective changes, we must ensure they are being done safely.
Part of our strategy for continuously improving security is conducting regular external security assessments of our services.
Back in 1965
What would happen if, during one of the first IT security conferences, an employee were able to easily undermine their company’s security system?
It was at this initial conference that the first formal request to carry out a test of system security was made. This type of testing has become known as penetration testing or pen-testing. Since then, computer penetration has become a common tool for performing security assessments.
What exactly is a penetration test?
If you’ve seen Ocean’s 11, you may already be able to visualise what a pen-test is.
Let’s assume we’re casino owners: imagine we hire Danny Ocean, the protagonist of the film and casino robber, to test how easy it would be to access our vault.
In this hypothetical situation, Danny would be our penetration tester, and the vault would be our informatics system.
When performing a penetration test, you are hiring an external party to try to gain unauthorised access to your systems and data by replicating the methods that threat actors would use.
Our attack model, and the importance of reporting
As with any process, there are many ways of conducting a penetration test. In this first introduction to pen-tests, we would like to give some insight into how we at PRISMA are conducting our tests.
First, let’s take a look at the attack model we use, which is inspired by the strategy James P. Anderson, a pioneer of information security, used back in the 70s.
Our penetration test attack model can be split into 5 stages:
The tester first needs to prepare their plan of attack. They lay out the methods they will take in attempting to breach a system during this phase.
During this stage, testers perform scans of networks and applications, looking for a point where they may be able to gain access to a system.
Once they have found the weak point of a system, a tester is able to gain access to it.
After having gained access to a system, a tester will look to install a “backdoor” of some sort, allowing them to access the system again in the future.
Once they have finished their assessment, pen-testers report on their findings. Companies can use this report to fix any potential issues found during the test
Let’s take a look at how we use reports to improve security.
No matter how many or severe the findings of the pen-test, the report is an invaluable evaluation of a company’s security. It will show you where your company needs improvement, and what you’re already doing well.
Going beyond technical information
A comprehensive pen-test report should include information on both the technical and business aspects of your service.
Before performing our pen-tests, we make sure to take the time to work closely with our pen-test provider. Through close collaboration, we enable our provider to analyse not only the technical aspects of our company but to inspect the very core of our business operations.
During this preparatory phase, we explain the main processes of our service, disclosing every detail. The more they know, the better equipped they are to try to break through our security wall. The report becomes even more essential to our security when we know that the pen-testers have sought to find ways to completely disrupt our processes.
Our collaborative strategy allows for testers to produce a report that not only gives insight into our security but also which helps us to identify areas where we can improve. An “over-the-counter” pen-test could not supply the same insight our collaborative strategy does.
How can we get even more out of a pen-test?
Penetration testing can be used as a training exercise for your information security team. There are several different approaches to using a pen-test as a training exercise, and the one you choose will depend on the scope of the test. We at PRISMA currently make use of two types of testing:
Blind Test: One method of testing we use is a “blind test.” In this type of test, we leave our team completely in the dark about the test to be performed and monitor their reaction to it. Once they’ve detected the breach, you can reveal that the “intrusion” was just a drill. If you believe that your company is very secure, an unpredictable attack is a good way to test its defensive capabilities.
Forensic Exercise: An alternative to the blind test is to inform your security team that a test will take place, and to use the pen-test as a forensic exercise. This is the option we most often employ.
Once the testers have finished their attempt and we have received their report, we try to estimate what the results will be before reading it. We systematically perform thorough analyses of our logs to understand what the first indicators of a breach are. Though it may seem like we’re consulting a magic eight ball for answers, this approach has allowed us to hone our own investigate skills and to improve our monitoring and forensic capabilities. Penetration testing reveals things to us we cannot see ourselves and is an invaluable tool for improving the security of PRISMA.