This article has originally been written in french and then translated with tools. The translation should be on point, but please forgive us if some parts are not perfect.
One of the most common misconceptions is that SMEs are too small to be of interest to hackers. If my company isn’t a target, I’m safe, right?
We’d like to say yes, but unfortunately, it’s not that simple. Your business could be used to gain access to one of your more “important” customers, or you could simply be attacked at random; hackers also like to fish with dynamite… Think of the phishing e-mails you receive all the time, for example.
If you’re reading this guide, you understand the importance of protecting your business. Or maybe a potential investor or customer has challenged you about your security measures, right?
You’ve been asked the fateful question “Have you carried out a penetration test?”, then ended up on Google searching for “penetration test” without really knowing what to look for in the background. Maybe that’s how you ended up on this page. And that’s just as well, because we’re going to help you sort it all out and make you an “informed customer”.
For those in a hurry, here are the sections of the guide to help you quickly access the information you’re looking for (the guide is intended to save you time for the rest, so we still recommend reading it all 🤓):
According to the Office Québécois de la langue française, a penetration test can be defined as: “A test designed to reproduce, in a controlled manner, the real conditions of an attack on a network or information system, in order to detect security flaws and assess their exploitability with a view to correcting them.”
In short, we act like hackers attacking your company, but instead of ransomware, you leave with a report to correct your flaws.
You’ll hear other terms for penetration testing, but they all mean the same thing: pentest, penetration test, computer intrusion test, technical security test (to be validated, but we’ve heard it before).
In practice, penetration testing consists of two services: vulnerability scanning and penetration testing.
This is the automated portion of the test, using a tool to perform the scan. Here’s the Wikipedia definition: “In computer security, a vulnerability scanner is a program designed to identify vulnerabilities in an application, operating system or network.”
The aim? To automatically identify all known vulnerabilities on the system. Then you can apply the necessary patches to enhance your level of security.
💡 This service is the first step in penetration testing, but it’s also good practice to do them continuously so you’re always aware of new vulnerabilities, we’ll talk about later in the guide.
This is the manual part of the test, the part that most closely mimics a real attack. The consultant comes to exploit the identified flaws to penetrate your system, just as a hacker would. Of course, an ethical hacker won’t do any damage, he’ll stop short.
The two approaches are truly complementary, as they communicate different information. Vulnerability scanning provides quantity (your IT guy is going to have a great job patching the list), and penetration testing is more of a logical approach – we’re going to show you how we got in.
Very important point: although vulnerability scans are highly relevant, they are no substitute for a real penetration test. When you ask for quotes, be careful: make sure that when you ask for a penetration test, the test proposed is not a simple scan. We say this because, unfortunately, it’s a practice we’ve seen on several occasions.
According to a report from Kaspersky Lab, 73% of successful breaches in the enterprise sector are due to the penetration of vulnerable web applications.
We could go on with more statistics to illustrate our point, but we’ll save you some time (the link above is a mine of stats, if you want to push further). Your web application, your internal network, your API or your website are vulnerable. By performing a penetration test, you’re protecting your business by identifying your security flaws before the hackers do.
If that’s reason enough for you, great. You can move on to the next section. If, on the other hand, you still have some doubts about the relevance for your company of carrying out this type of testing. Here are some other common reasons:
The request may come from your customers, investors, partners, suppliers, insurers and so on. Being challenged on the security measures in place will become commonplace. Individuals are increasingly aware of cybersecurity issues, and this is now a requirement. The request can be very precise as to the scope of the tests, but it can also be as vague as “to have carried out a penetration test in the last XX months”.
Many industry regulations or compliance certifications also require organizations to undergo regular penetration testing. The most common examples are ISO 27001, PCI DSS and SOC2 Type II. These standards specify the tests required at different levels of detail, but even the most specific ones don’t specify exactly how or what to test, as this depends on the scenario in question. For this reason, it is often accepted that the company under test is best placed to determine the level of security testing that is appropriate for its scenario. The following tips can help you determine what and how to test.
If you’d like to read more on the subject, and also see how penetration testing can help you make money, here’s our article: Penetration testing: a competitive advantage
Before getting down to the heart of the matter and discussing penetration testing, we need to think strategically. While testing your security level can never do any harm, it does represent a certain budget. A risk assessment is therefore a key step in understanding your needs and choosing the right test(s).
Your business is unique: what you do, your team, your structure, the tools you use. As a result, the cyber risk incurred by your company is not necessarily the same as that incurred by the company next door. Of course, there are simple ways of identifying which risks apply to your company. Here are some questions to ask yourself:
Is your business based on the use of customer data? You have a major stake in this, as it’s your responsibility to protect this information. Here are a few examples of industries that are generally concerned: law firms, accountants, marketing, e-commerce or web applications. There’s a legal as well as a reputational issue at stake, so you need to do everything you can to limit the likelihood and impact of a cyber attack.
The first step is to identify on which of your systems this data is stored. If they’re all in one place, is the system really isolated, or can it be accessed by other means?
Here are three examples:
Obviously, the first step is to check whether an attacker with no account can access your data (we’re talking about anonymous tests here). But what would happen if a malicious standard user tried to access another customer’s data, or even your administration console? In this context, we recommend that you run “authenticated” tests. If there are several roles in your application, it’s a good idea to identify which ones are to be tested (examples of roles: users, administrators, employers, employees, etc.).
No sensitive data is directly exposed to the Internet? Does your team handle it directly on your internal network? In this context, your website may be less relevant to test. Your main risk is illegitimate access to your internal IT network. A scenario that plays out all too often is one of your employees clicking on a phishing e-mail, thereby giving access to a hacker. We therefore carry out an internal penetration test to validate whether an attacker could gain access to your sensitive data. We always start with an anonymous approach, but we’ll ask you for standard access (the access level of the majority of employees) to test the scenario of phishing or a stolen laptop.
If your company handles money, you become a prime target for hackers, and even for ill-intentioned employees or customers. The approach will be the same as in the previous case, but we strongly recommend continuous vulnerability scans and full penetration tests at regular intervals (frequency to be defined according to the case).
This is one of the main reasons why companies don’t see the point of testing their security. If they don’t have anything “valuable”, why invest in protecting it.
The first piece of advice we’d give is to make sure you really don’t have any sensitive information.
Maybe your company doesn’t collect any personal information or credit cards. But do you have your employees’ personal information? Intellectual property? Your application’s source code? What would be the consequences if this information were stolen or destroyed?
If your answer doesn’t change, and you still think that the consequences of an attack wouldn’t be that serious, you can choose to go ahead with a simple vulnerability scan. The investment will be lower, but it will enable you to ensure a minimum of security on your systems. Concentrate on systems exposed to the Internet, such as remote access (VPN), firewalls, websites, web applications and APIs.
Let’s cut to the chase here: how much does an hour’s downtime on your production line cost you? There are lots of different figures online, but the cost quoted ranges from $100,000 to $500,000 CAD. In short, it’s a scenario to be avoided at all costs. A production line stoppage can be the result of a breakdown, but it can also be the result of a cyber attack. If a hacker takes control of your network, it’s game over: he can stop your production line.
In this context, you need to carry out a complete penetration test of your internal network. We’ll be testing the same scenarios as in the previous point (companies handling sensitive information internally). The objective here is more to validate whether a hacker can get to the domain controller(s) of your production chain. We strongly advise you to test your wifi network too, and ask your supplier to help you brainstorm about your plant’s network architecture. It’s quite possible that one of the test recommendations will be to upgrade equipment, but it’s not possible to upgrade certain industrial machines. So you’ll need to “think outside the box”, and look at ways of mitigating the risk by isolating certain equipment from the network, for example.
Does your company have no online interaction with its customers? For example, do you have an independent physical store with no online presence, and no customer data stored on your computers? We could tell you that penetration testing is always a good idea, but given the investment it represents, we’re not really comfortable with it. Instead, we’d advise you to check that all your workstations (and servers, if any) have anti-virus software, to update your software and to use long and different passwords (a password manager is game-changer, here’s one we highly recommend: https://1password.com/fr/).
If your company is growing or if you decide to use the web to develop your business, read this guide again, you may be in another category ☺
Now that you’ve identified your main risk(s), and been given an initial idea of the tests you should undertake, it’s time to define what you want to test. In cybersecurity, we talk about “penetration test scope”.
So, in other words, what assets do you want to test? If you’re one of the few companies that has an (up-to-date…) inventory of its assets, this is a document that can help you. The idea is to have a good understanding of your environment as a whole before determining the scope of testing. You may decide to test your entire infrastructure, but it’s also possible to choose to focus on just one part of it.
Here are two quick examples:
“We have a building where our internal network is concentrated. Our 85 employees use laptops, we have 2 physical servers and 4 virtual servers (VMWare), our Active Directory is hosted locally, our Wifi network is made up of 2 SSIDs (one employee, one guest). Most of our tools are in SaaS products that don’t belong to us, and we store our data on Sharepoint. We have 5 IP addresses exposed on the Internet, but only 2 are used.”
“Our HR application is used by recruitment professionals. The platform is sold to a company, which then gives different accesses to its team. So we have at least 2 roles per customer: administrator and recruiter. Each company has its own tenant, with data stored in separate databases. We also have an administrator platform to manage the application as a whole, acting as a super admin.”
Penetration tests must always have a well-defined scope. It must have been discussed with the supplier, and it must be mentioned on the service offer.
Why is this important?
Just as it’s important to list what will be in the scope, we do the same for what will be excluded:
Determining the range is a potentially trickier step, especially if these are your first tests.
💡 This is a good time to evaluate your potential supplier: you’re the one who knows your network, but is he trying to understand your real need? Does he brainstorm with you to choose the best approach? Does he automatically try to sell you the most complete test without validating its relevance to you? In short, you get the idea. This is a good time to see if there’s a fit with your potential supplier. You should work on this step as a team. If you don’t, it’s a red flag 🚩
Security standards such as NIST and ISO27001 recommend continuous vulnerability scanning of your assets, and one full penetration test per year.
Of course, if your business is very high-risk, or you’re making significant changes to your network or application, one a year may not always be enough.
Running a continuous vulnerability scan is an excellent way of staying informed about vulnerabilities on your network. We don’t want to play the fear card, but there are over 10,000 new vulnerabilities every year. So you’ll understand that even if you perform a vulnerability scan and start patching them, there’s a good chance that the following month, there will be new ones. Without regular scans, you won’t be able to know this and act accordingly.
The cost of running a recurring vulnerability scan can be an issue for some companies, we understand. Our recommendation would be more to limit the scope of testing than not to do any at all. Thanks to the previous sections, you should have a better idea of your main risks and your most sensitive assets. You may choose, for example, to scan only your SaaS application, or just a portion of your internal network.
This is the kind of discussion you can have with your supplier. They’ll be able to advise you based on your budget and the issues at stake.
A penetration test should generally be carried out once a year, ideally in addition to a continuous vulnerability scan. As a reminder, a penetration test is a manual test in which the expert plays hacker and tries to exploit your vulnerabilities to penetrate your systems (without breaking anything, rest assured 😉 ).
What is the added value of a penetration test versus a scan? The expert goes further than simply listing vulnerabilities. By seeking to exploit them, he’ll be able to uncover more complex weaknesses, linked to your architecture for example. To give you an idea of what he might try to do, here are a few examples:
To help you think about frequency, you can relate your business momentums to your risks. Here are a few examples:
An annual test, if you make few changes to your system and your level of risk is low, should be fine. Again, if you handle money or highly sensitive and coveted data, a quarterly is the minimum.
💡 Finally, security testing is a very good practice. However, vulnerabilities still need to be corrected. If you test regularly, but don’t apply any recommendations, you’re unfortunately wasting your money.
We hope this guide has helped you demystify penetration testing a little. We understand that it’s not easy, but we wanted to give you a better understanding of your needs and how to store for a supplier in an informed way.
This guide could be much longer and more detailed, but we didn’t want to discourage anyone with a guide that never ends. If you’d like even more information, our blog section is all yours 🤓
If you’ve stumbled across this guide by chance, we’re the Yack team. We specialize in offensive security, so penetration testing is all we do all day long.
If you’re at the stage of looking for a supplier, don’t hesitate to contact us. We’ll be happy to help and guide you.
If you’re not ready to start your project yet, but you liked what you read, feel free to follow us on social networks. We’re not the spammy type, we promise 🤓
Finally, whatever your situation, if you’ve enjoyed our guide, if you think it can help others understand penetration testing better, you can share it. Live, on social networks, it doesn’t matter. As long as it helps someone, we’re happy 😊
Peace ✌️
Cyndie & Nicholas