5 Penetration Tests that Will Help Secure Your Infrastructure
By Divyansh Arora, Information Security Consultant, ERMProtect
A penetration test is similar to testing the security of your home. Let’s say you’re protecting your home against theft or burglary or even against an approaching hurricane. Once you’re done securing your home, you might want to consult an expert as well on what they think. Another set of eyes could spot something you may have missed.
Penetration testing is like that. You’re trying to assess the vulnerabilities in your technical infrastructure at your organization, attempting to break-in to your infrastructure by exploiting these vulnerabilities, and then putting in the effort to plug those gaps before hackers find them.
Penetration testing can be performed by an internal security team at your organization, or you could hire external experts. Independent third parties provide an unbiased opinion of the security of the organization’s infrastructure. This independence is also something that may help organizations achieve regulatory compliance.
Although penetration testing is quite common today, it is important to know that there are multiple types of penetration tests and each of these serve specific purposes. Each of these can help bolster your organization’s security in their own way and in their specific domain areas. Let’s take a look at the various flavors of penetration tests.
Network Penetration Tests
This is one of the most common types of penetration testing performed across all industry verticals, from banking to healthcare, and from manufacturing to education. The main goal is to identify vulnerabilities in the organization’s network infrastructure. Network infrastructures are known to grow inorganically and become overly complex as an organization grows over the years. Testing them requires identifying all the vulnerabilities that exist across all infrastructure elements that are connected to the organization’s network. Remember, network threats can emerge from the outside as well as the inside of an organization, so both internal and external network penetration tests are recommended.
Web Application Penetration Tests
As the name suggests, this penetration test is performed to discover vulnerabilities in web-based applications and their supporting infrastructure such as databases, application programming interfaces (APIs), and so on. Web applications form the lifeblood of most organizations and economies today because they enable simple and convenient business online. As experienced penetration testers know, significant parts of web application penetration testing need to be performed manually, because automated tools produce a very large number of false positives (findings that aren’t accurate). Of all the penetration tests, this is one where hiring an expert web application penetration tester would be a worthwhile investment.
Mobile Application Penetration Tests
Mobile applications, or what we today call “apps,” are susceptible to cybersecurity vulnerabilities, too. In fact, mobile apps are the new hunting grounds for hackers these days. Mobile apps on iOS and Android platforms are a main target since these are the two most popular mobile operating systems. If your organization offers mobile apps that perform critical functions, you should perform penetration tests that dig deeply not only into the code of the mobile app but also into the communications with the backend APIs and databases.
Wireless Penetration Tests
Organizations that use wireless networks in their technical environment must test them to identify vulnerabilities and security holes. Even if you are only using the wireless network to offer Wi-Fi to visitors, you still need to ensure that it is secure and adequately segmented from your organization’s other networks. Wireless networks are risky because a malicious hacker could be in your parking lot and still be able to access them. Inexpensive long-range antennas can allow a hacker to access your wireless network from a mile away. Be extra careful to identify everything the wireless infrastructure is connected to. Ideally, you want it to be completely separate from the rest of your infrastructure.
Social Engineering Tests
And finally, when testing technical infrastructure, don’t forget about the “human firewall.” It is often said that the human element is the weakest link in cybersecurity, but it doesn’t have to be that way. Social engineering tests will help you identify the ways that hackers can trick employees into compromising security, so they become more aware and less susceptible. For instance, the tests will identify how readily your employees would click on a malicious link in their email. Or allow a visitor to let them “piggyback” into a secure area because they’re trying to be polite. Penetration testers conducting social engineering assessments will craft clever emails, such as one purporting to be from HR with a link to an online job satisfaction survey. The link would require the employee to login using their credentials on a phishing site set up by the pen testers. Employees who fall victim to the scheme would then be provided awareness training.
An assessment of physical security might involve a penetration tester using a pretext to get an employee with an access card to “help out” by letting them inside, a technique known as “piggybacking.” Social engineering testing scenarios are endless, and they can be customized to resemble real-life threats facing an organization.
Putting It All Together
As you can see, penetration tests come in several flavors, each with its own purpose and use case. A good approach is to conduct a combination of tests during various times of the year. These tests will help your organization keep up with evolving cybersecurity vulnerabilities.
To learn about our penetration testing services, please contact [email protected] or call 305.447.6750.
Get a curated briefing of the week's biggest cyber news every Friday.
Intelligence and Insights