Rethinking your PenTesting Strategy | Watch the Recording
What is PenTesting – how does it and doesn’t it work?
In this recording, Holly talks about the problems of PenTesting including the pitfalls, inefficient ways of working, the frequency of testing and the types of testing. She also looks at a case study to demonstrate these.
Holly Grace talks through the different types of security testing, including Vulnerability Scanning, Penetration Testing and Red Teaming, noting that some larger organisations will do all three. She emphasises the importance of looking at:
- What are we trying to test and what is the expected output?
- What are we hacking?
- What are we trying to emulate?
- Why are we testing?
Holly Grace has found that some customers want to take a black box approach and don’t want to provide any information about their systems. This approach does waste time.
She states that penetration testing is generally done annually by organisations. This point in time assessment doesn’t accurately represent the fluctuating security posture of an organisation. She gives an example of how this could be problematic as it can be a long time before issues are detected and resolved. It’s also challenging as you are trying to assess everything at the same time, which might be unmanageable.
Holly Grace talks through testing in isolation and combined testing, including the benefits and drawbacks of each. She gives an example of a retail company that they worked with whereby they managed to gain access to the EFT and, owing to weaknesses in the cryptography, 16,000 payment cards per hour could be compromised via one server. She demonstrates how testing systems in isolation can mean that things are missed.
Holly Grace talks through how Secarma hacked the server and gained persistence by hacking the DVR (CCTV system), emphasising the need to get rid of the hacker and minimise the impact by thinking right through to the end.
“Think very much in depth about what are you trying to get out of this testing. Just finding individual vulnerabilities – it’s probably not actually what you want. You probably want a full risk exposure of – how does this system affect our organisation? How does this system affect our customers? And thinking past the specific vulnerability into – can this be chained with other vulnerabilities, what is the end goal for the threat actor. If this system was compromised to this level, how do we get the hackers back out?”