A quality penetration test - a must in cybersecurity management

Ensuring a cyber-secure environment is often associated with installing new, more advanced security devices. Technological solutions allow ever better protection of the information system. But our experience shows that more than equipment alone is needed to solve an organisation’s security challenge. Only a penetration test can reveal the actual cybersecurity posture.

The key to achieving a sufficiently high level of cyber security is to position and optimise the security devices in the system correctly. Furthermore, raising awareness among users and IT system administrators to improve cyber resilience is fundamental.

A penetration test shows whether the technical protection of your IT system is efficient enough to meet your requirements and cybersecurity criteria. The results of the test offer information on potential vulnerabilities and weaknesses in the configuration. This approach allows you to use your existing equipment better and add new equipment in targeted areas where the penetration test has shown security shortcomings.

There is no 100% security, but we must strive in this direction

As recommended by NIST, detecting security vulnerabilities is one of the critical steps in cybersecurity management, followed by responding to the identified vulnerabilities. By repeating these two steps, you aim to improve your corporate cybersecurity continuously.

Although you cannot achieve 100 % security, you can at least get as close to it as possible by taking suitable measures. Based on the results of security tests, you implement measures to ensure the confidentiality, integrity and availability of information and services at the system and user levels.

Organisations that run OT and IT systems face an additional challenge. Whereas upgrades and changes are “business-as-usual” in the IT system, in the OT, the objective is to maximise the stability and unchangeability of the environment and preferably not change it at all. Security testing must be adapted accordingly.

Penetration test of an IT or OT system – why do they differ?

The goal of IT system and application penetration testing is to ensure the confidentiality, integrity and availability of the business IT system and services used by users and administrators.

The first step is to check what in the IT system is accessible from the outside and, in the next phase, how cyber security is managed in the internal network. We take a systematic approach to checking possible entry points into the network and try to exploit them.

We test web and mobile applications according to recognised methodologies and perform static source code reviews to identify weaknesses in the application’s configuration. Based on the results, we advise developers on how they can improve the security of their products.

Business IT systems and applications are faced with new vulnerabilities that need to be addressed by installing security patches or by making changes to the configuration of security appliances. These environments are relatively flexible and agile, so implementing changes is usually unproblematic.

On the other hand, OT environments such as industrial control systems typically run on older technologies, and security patches are often no longer available. When these networks were completely isolated from other IT systems, they were relatively safe from cyber intrusions.

Once industrial systems have opened to the internet, the attack surface in OT has increased dramatically, and consequently, the security risks. Since OT systems do not tolerate disruptions, security testing of industrial control systems is often performed in a demo environment or as a documentation audit. Additionally, when assessing the risks, it is imperative to consider the supply chain as a possible attack vector. Due to the intertwining of outdated and modern technologies, industrial control systems are much more vulnerable to cyber-attacks today than they were in the past.

Weak passwords are a common risk factor in IT and OT environments

One of the risk factors that IT and OT environments have in common is passwords. Typically, system administrators pay more attention to strong user passwords, but in our experience, system passwords are much more vulnerable. We recognise password security testing as one of the essential steps in security testing that checks the effectiveness of your password policy and the compliance of user, system, and service passwords.

In recent years, the guidelines for password security have changed in length and structure. While in the past, it was considered that passwords should be complex in terms of the use of different (special) characters and symbols, new guidelines place more emphasis on the length of the password. We recommend that you design passwords in longer passphrases that make sense and are easier to remember (e.g. When we were children, we spent summer in Wales, where we enjoyed the seaside and stunning nature). For system passwords, you can also look for password solutions in sentences that all administrators with approved access can remember. Implement two-factor authentication for enhanced protection. With such a password policy, you don’t need to change passwords every few months; changing them once a year will suffice.

Besides password policy, much attention should be paid to raising user awareness on the topics of secure passwords and password confidentiality. In addition, training users to recognise social engineering attacks is also worth its weight in gold.

Why a penetration test?

Let’s conclude with the answer to the initial question: Why is a quality penetration test an essential component of cyber risk management?

Based on our experience, attackers will likely gain access to your internal network through your employees. In organisations that have introduced systematic cybersecurity training for employees, the chances of such a breach are lower than in those that have not. However, even a trained user can be tricked by a well-planned spear-phishing attack.

Once an attacker has gained access to your internal network, it’s all about your security settings and the ability to respond. At this point, the most effective way to check how efficient your security controls are is through targeted penetration tests. In such testing, you define the segment you want to examine and the objectives you want to achieve. A comprehensive and detailed report at the end of the testing is an excellent basis for further actions and improvements.

Interested in a penetration test? Contact us.