By: Jaroy Johnson
Share This Post
Performing Vulnerability Analysis and Penetration Testing – The Four Phases
According to a recent IBM Security Report, more than sixty percent of data security breaches are the result of employee negligence. Costing an average of more than $300,000 per incident, these security breaches are expensive and preventable. Performing annual vulnerability analysis and penetration testing will go a long way toward keeping your data safe and helping your company thrive.
In our previous blog, we covered the basics of vulnerability analysis and penetration testing – what pen testing is, and why it’s so important. Now, we’ll walk through a detailed look at the four phases of penetration testing:
Phase 1: Planning
As with any project, the planning phase of vulnerability analysis is possibly the most important. This phase lays the groundwork for an effective penetration test on your company’s system.
If you’ve hired security consultants from outside your organization to perform a pen test (which we recommend), you can think of this as the getting to know you phase. And as with any good first date, your consultants should be asking you a lot of questions. Consider it a big red flag if they show up and just talk your ear off about how great their services are.
Understanding Your Business and Network
In order to perform an effective vulnerability analysis, a security consultant needs to get a clear understanding of your company from the inside out, as well as your goals for the penetration test. Here are a few of the questions you should be prepared to answer (and they should be asking):
- What are the services or products you provide?
- How do you provide these products or services?
- Who are your customers and how do they interact with your system?
- Who has access to your systems?
- What kind of data do you collect?
- Where is that data stored and what sorts of access controls are in place?
- Why do you need the pen test? Is this a proactive test or a reactive one?
- Has a prior security breach occurred? What are the details surrounding that incident?
Clarifying the Scope of the Pen Test
In addition to gaining a clear sense of how your organization operates, the planning phase should also establish a defined scope. While the underlying goal of any pen test is to identify vulnerabilities, it’s also useful to clarify what you want to get out of the test:
- Are you simply looking to shore up any security vulnerabilities and mitigate risk?
- Do you want to increase operational security and efficiency?
- Will the test cover the whole system or only half?
- Are there systems that are being phased out that should be excluded from the test?
Vulnerability analysis and penetration testing aren’t small undertakings. Depending on the size of the organization and number of open ports, a thorough test can take anywhere from several days to a few weeks. The planning phase will outline the timeline, impact on your system and the cost involved. This way, there shouldn’t be any surprises during implementation.
Phase 2: Discovery
Once your consultants have gathered information from you in the planning phase, they’ll then move into the second phase of the pen test. This is essentially the reconnaissance phase. At this point, security experts investigate your system to prepare for the attack.
The discovery phase involves scanning for open ports, identifying all public facing IP addresses, collecting any details or information that might lead to a way into the system. Since the goal is to find your organizational blind spots, an outside expert will use the discovery phase to think outside the box. In other words, the discovery phase is when a consultant is “casing the joint,” looking for ways to break in.
Phase 3: Attack
Phase three is where the rubber hits the road, and the actual penetration test occurs. Using a variety of methods and tools, a security expert will attempt to ethically breach your security perimeter.
In an ideal world, they won’t be able to get in. Your cyber security locks will be airtight and squeaky clean. You’ll finish the pen test with the reassurance that you’ve been doing all the right things to keep your data safe.
However, there’s always a chance that they will get in – that’s why you’re performing the test in the first place. Thankfully, though, if a security consultant is able to penetrate your system, they won’t be enacting the kind of mischief or malice that real cybercriminals would.
Rather than holding your website or server hostage, a penetration tester is more likely to update the banner on your homepage to say “Howdy, friends.” And then put it right back the way it was before anyone notices. And, of course, document exactly how they were able to pull it off – to make sure it doesn’t happen again.
Phase 4: Reporting
In the final phase of a penetration test, your security consultant will report their findings and make recommendations. Here, you’ll get a neat summary of any weaknesses that were found and exploited, along with recommendations on how to mitigate future risk.
Once vulnerabilities have been identified, you can use that information to increase operational security. You can seal the cracks and tighten the bolts, so to speak. You can also use the information for future forecasting and prioritizing of security projects.
For example, you may want to start with an education campaign. Or, you may want to upgrade your security software. Implementing better access controls might also help to increase efficiency in addition to mitigating risk. The reality is that better security is better business.
Penetration Testing is Important for Every Business
Because the headline-grabbing security breaches tend to happen to major corporations, it’s all too easy for small and medium-sized businesses to assume they won’t be targets of cybercrime. However, we can’t emphasize enough the potentially devastating impact of cyberattacks on businesses of all sizes. It’s a reality that every business has to contend with, and it’s why every business should perform periodic penetration testing.
The number of reported cyberattacks rose 20% between 2016 and 2019, and those numbers are only continuing to rise. Protecting your data is an investment in the future of your business. It will not only help to keep the lights on, but it can also drive revenue and lead to new business opportunities.
Want to learn how? Give us a call.