More and more high-profile organisations are being hit with cyber-attacks and data breaches. At the start of June, it was the BBC, Boots, British Airways, and Air Lingus. At the time of writing, digital health company Kannact Inc has had their network server breached, affecting over 100,000 users. With big players being affected, small and medium sized businesses might be wondering what they can do.
The answer is not just to put cyber security measures in place, but to test them too. Penetration testing and ethical hacking are both great options to reinforce online defences, and in this blog, we’ll go over their differences.
What is penetration testing?
Penetration testing is a tool for analysing the strength of a business’s cyber security defences. It audits any number of individual systems by attempting to breach them in the same way a cyber criminal would. Along with assessing effectiveness, penetration testing can reveal vulnerabilities. This allows the organisation to make cyber security improvements by adding further measures where necessary.
Types of pen testing
- External (black box testing) – aims to simulate a real-world cyber-attack as closely as possible. As such, the tester is given very little information about the business’s defensive infrastructure. Due to this, black box testing must be carried out by third party cyber security managed services.
- Internal (white box testing) – systems are tested by someone who has full knowledge of the organisation’s infrastructure, including access to data environments and source code. Typically, white box testing produces more intimate details regarding the business’s cyber security.
- Gray box testing – the pen tester has moderate access and/or knowledge of the company’s internal systems. Limiting permissions allows this type of testing to provide an efficient audit of a network’s security.
- Web application – assess software code and identify areas of weakness within a specific system. Testing web applications regularly helps support software over the course of its lifecycle.
- Wireless – identifying and examining all devices connected to a business’s WIFI network. This includes laptops, tablets, smartphones, smart TVs and more. Cyber security experts consider this ‘low-hanging fruit’, as it’s often the most easily exploitable point of access for criminals. Wireless testing can reveal insufficiencies in network controls and vulnerabilities in devices.
- Network services – a network pen test simulates an attack to evaluate the system response, or lack thereof. To this end, it will employ a variety of malicious techniques like buffer overflow or SQL injection. Scanners will also be used to identify hard-to-spot network vulnerabilities.
- Physical – creates scenarios where someone could use physical means to gain access to business data environments. Having physical access to a device or network makes it much easier for cyber criminals to do damage. Physical testing assesses how secure a business’s premises are to prevent this.
- Social engineering – what processes are in place to thwart social engineering attacks like phishing. Commonly includes mock emails to test employee training, or other methods of impersonation to try and gain access by overcoming human defences.
What is ethical hacking?
The key difference between ethical and malicious hacking is that the former is done to perform a security assessment. It doesn’t result in any damage to the organisation. Instead, a security professional mimics the actions and techniques of a malicious attacker.
How can hacking be ethical?
An ethical hack is authorised by the organisation that’s attempting to be breached. The aim is to gain access to a system, device, application, or data. The hacker feeds back to the organisation any security vulnerabilities, which can then be resolved.
An ethical hacker, known as a ‘white hat’, are cyber security experts governed by the following protocols:
- Legality – obtain written approval to access and evaluate the business’ systems before taking any actions.
- Establish scope – work within the boundaries set by the organisation. Only access areas for which permission has been given.
- Report vulnerabilities – accepts the obligation to notify the organisation of any and all vulnerabilities discovered. Following this, remedial action advice should be provided to address each vulnerability.
- Respect data sensitivity – be willing to sign a non-disclosure agreement in cases where highly sensitive data is being handled. This is in addition to any other terms and conditions the organisation may have.
The process of ethical hacking
The parameters of an ethical hack are set by the organisation. As such, it is a flexible process that can be used to assess many different areas of cyber security. Regardless of the scope , ethical hackers will follow this process to mimic a real hack:
- Reconnaissance – gathering information about the target. This preparatory phase, known as ‘footprinting’, looks at a business’ network, host, and those involved.
- Scanning – looking for weaknesses that can be exploited. This is broken into port scanning, vulnerability scanning, and network mapping.
- Gain access – breaching an organisations systems using tools and techniques.
- Maintaining access – leveraging privileges to make use of malicious files and applications. Steps are also taken to mask the presence of the hacker.
- Clearing track – leaving no trace of the breach. This can involve modifying logs and registry values, as well as removing any apps and folders created during the attack.
Choosing the right method for you
Penetration testing and ethical hacking share many similarities. They’re both processes designed to audit a business’s cyber security defences. However, there are variations in the techniques used to achieve this. As a result, both can serve different roles within business cyber security strategy.
The main difference is that the range of penetration tests available means businesses can evaluate specific systems. For instance, businesses that process lots of user data might want to focus their testing efforts on systems that allow access to storage areas. On the other hand, ethical hacking takes a broader approach by discovering vulnerabilities. Wherever the vulnerabilities are, that is the route the hacker will take their attack.
Business leaders might want to consider the time and money investment involved. For penetration testing, pricing can depend on the type of testing. For example, white box testing can involve the use of expensive tools such as code analysers. Similarly, the cost of using ethical hackers can vary depending on the testing scope and how long the process takes. However, we think it’s worth spending a little extra to avoid suffering the effects of a successful cyber security attack.
As technology continues to advance and bring new systems with it, new access channels are opened to criminals. This is a challenge for organisations, as it means the approach to cyber security used 5 or 10 years ago can become obsolete. Options like ethical hacking and pen testing are useful, as they can reveal vulnerabilities across a range of systems.
Here’s a list of common security exploits, along with the technique that can be used to identify them:
- Cross-stie scripting (XXS) – penetration testing
- Password weaknesses – both
- Injection attacks – ethical hacking
- Authentication problems – both
- Misconfiguration – both
- Use of vulnerable components – both
- Exposure of sensitive data – ethical hacking
- Operating system and endpoint application vulnerabilities – penetration testing
Penetration testing company UK
As experienced cyber security consultants, the CyberWhite team can provide professional advice on whether penetration testing or ethical hacking is best for your business. We offer no less than eight different types of penetration testing, along with reporting and remediation support. With us, you can have an ongoing partner for improving your cyber security defences. Contact us today for a security check to assess the health of your security infrastructure.