Why there’s a need for penetration testing within organisations

Johannesburg, 27 Aug 2021
Read time 4min 50sec

Can you protect your company from cyber crime by hiring an ethical hacker. Understanding how secure a business is should begin with a penetration test – getting a third-party expert like Cyber Insight to uncover, exploit and document vulnerabilities.

Ransomware is on the rise. The pandemic has created a spike in cyber crime. You have to ask: How secure is the IT infrastructure of my business? One way to find out is with a penetration test. A penetration tester – also called an ethical hacker – will find vulnerabilities in a system and actively exploit them in order to gain access into an environment. Penetration testers are often referred to as ‘ethical’ because they do not sell their findings on the dark web – any information unearthed is passed back to the client to fix vulnerabilities in the system.

“Penetration testers can gain access to data and privileged systems… data that a client or user does not want to be exposed to an external entity,” explains Deon Smal, Cyber Insight’s director. Cyber insight has an extensive background in cyber security, including monitoring and reporting solutions, implementation and management experience as well as a broad understanding of multiple IT disciplines and principles.

“A white hat hacker, or an ethical hacker, has the same skillset as a black hat hacker, but instead of being a malicious entity, they hack with a different moral code, to the benefit of their clients.”

While penetration testing is incredibly important for any organisation looking to safeguard their organisation’s data, it can be difficult to find certified penetration testers locally: “Certified doesn’t always mean skilled – a certified or skilled individual needs a broad understanding of multiple IT disciplines and principles, not just security. A lot of students enter the security space without prior IT knowledge – there is simply a lack of general knowledge when it comes to networking, coding languages and operating systems… you need the basics.”

To ensure business continuity, penetration testing is critical, and while it has become best practice for some companies, many industries now require regular penetration testing to meet compliance standards. “If you want to be compliant to certain frameworks or standards, you need to conduct penetration testing – at least annually. ISO27001 is an international standard and one of the requirements to become certified is proper vulnerability management, which may include penetration testing,” adds Smal.

Penetration testing is also required by cyber insurance companies to grant insurance policies. Suppose a business hasn’t been tested for cyber liabilities. In that case, installing cyber security software simply isn’t enough: “There’s a difference between a vulnerability scan – an automated tool that scans the environment and provides a vulnerability report, only catching a few issues – and a penetration test. A penetration test uses multiple tools to check vulnerabilities manually. These tools exploit any chain vulnerabilities found to ensure there are no false positives.”

While some companies opt to use their internal security teams for penetration testing, Smal believes this could be problematic as internal entities know the infrastructure. “They know where to look, and they have their own stakes in the company. They’re typically involved with the implementation of the security controls, so if they find vulnerabilities, they may have their own motivation not to report them,” he says.

An external entity trying to hack into a company has no prior internal infrastructure knowledge. They’re neutral and do not have any bias towards the implementation or the organisation. Cyber Insight’s varied client list shows that those who conduct regular penetration testing range from small finance companies with 25 employees to larger pharmaceutical organisations and law firms. While penetration testing does not depend on the size of a company, there are three different types of penetration tests Cyber Insight can conduct.

“There’s a black box, grey box or a white box penetration test,” explains Smal. “A black box penetration test is when the client does not give you any information, and it is up to you as the tester to enumerate all information required to complete the test. With a grey box penetration test, the client will give you basic information regarding the company, including website information, IP addresses, technical and non-technical details. With a white box penetration test, the client gives you all of the information including login credentials, source code, IP addresses, administrative access to the environment…”

Ultimately, whatever type of penetration testing you choose should be seen as a proactive approach for security-conscious organisations. Without a pen test, it’s almost impossible to gain insight into a company’s current state of vulnerability – around 80% of Cyber Insight’s cases occur after an attack happens. 

“Even if you implement the best security controls, you do not have that insight. If you conduct a penetration test or vulnerability assessment, then you begin to see the openings. It’s often only when a company gets hacked or falls victim to ransomware attacks that they realise they have a problem, need to fix it and then allocate a budget. A proactive penetration test could have saved that money.”