There are many root causes today of corporate crises and financial challenges. Often, cybercrime takes center stage because companies rely on sensitive computer infrastructures with global data access and critical electronic file storage systems.
This reliance results in attacks (think malware, corporate espionage, cryptojacking or denial of service). And when they happen, companies often are left with expensive remediation options.
At Mazars, we advise our clients to take proactive steps to address these potential crises before they happen. One such proactive step is cyber penetration testing.
This post provides a brief overview of it, its benefits and disadvantages, and cyber penetration testing’s implementation process.
Penetration testing defined
Penetration testing (also known as “pentesting”) is a controlled process that simulates a real- world attack by malicious users and/or external attackers. The process aims to identify and evaluate a company's security flaws and assess the potential financial and operational impact of these attacks on the organization's business processes.
Depending on specific circumstances and identified high-risk areas, we offer different types/scopes of pentests. They include:
Internal penetration testing examines the potential business impact of a security breach and validates the level of effort required for an attacker to overcome security infrastructure by utilizing previously acquired internal access. This may include breaching an organization’s active directory, phishing or credential stuffing attacks.
External penetration testing identifies and tests vulnerabilities that could be exploited by attackers via externally facing systems to gain unauthorized access to an organization’s systems. This test may include evaluating security controls on external servers for exploitable vulnerabilities, checking for proper implementation of firewalls and demilitarized zones (DMZs), as well as looking for misconfigured systems that can be leveraged to gain access.
Web application penetration testing evaluates the security of web applications and involves an active analysis of the application(s) for any weaknesses, technical flaws or other vulnerabilities. These tests are performed primarily to maintain secure software code development throughout its life cycle. Coding mistakes, specific requirements or lack of knowledge in cyberattack vectors are the main reasons for performing this type of penetration test. These tests generally utilize Open Web Application Security Project (OWASP) guidance and methodologies.
Physical penetration testing examines the effectiveness of security training, internal procedures and technical controls by attempting to physically access an organization by posing, for example, as a new employee, trusted vendor, maintenance staff, etc. The test then attempts to gain access to restricted areas, obtain a physical network connection, or access unattended workstations or servers.
Wireless penetration tests assess the resilience of the client’s wireless environment by attempting to compromise its Wi-Fi network and corresponding infrastructure network devices, with the ultimate goal of gaining access to restricted company data.
Social engineering penetration tests focus on the vulnerabilities associated with people and processes. These tests typically consist of ethical attacks such as phishing, password audits, USB drops or impersonation. The goal of these tests is to assess employee-based weaknesses and identify vulnerabilities to create a clear path to remediation.
PCI testing is a specific exercise that evaluates the entire cardholder data environment. Accepting payment cards makes transactions convenient for consumers, but it also means that a company needs to comply with Payment Card Industry Data Security Standards (PCI DSS) to protect customer data. PCI tests have more specific guidance on vulnerabilities that need to be considered, as well as specifically required application- layer and network-layer testing.
Red teaming, another form of pentesting, is focused on a specific objective (e.g., gaining access to regulated data or other high-value information). This “ethical hacking” exercise is designed to simulate a real-world adversary’s ability to utilize a variety of tools, tactics and procedures to reach a predetermined goal or objective. The goal is different in that it adds focus to people and processes, not just a particular subsystem within a tech stack.
Other penetration testing– We design specific tests that can be more objective or industry-oriented.
Benefits of penetration testing
There are many, including:
Independent/objective evaluation – Unlike work performed by internal IT departments, pentests are free of corporate bias and performed by an experienced team that’s up-to- date on the latest industry/cyber trends and real-world attack vectors.
Mitigate high-risk weaknesses– A pentest can identify high-risk weaknesses in systems that can be mitigated ahead of a serious breach; penetration testing is an essential tool to protect organizations from cyberattacks.
Timely solutions – Pentests result in reporting of vulnerabilities as well as potential solutions to address them.
Requirement – Many companies are required by various regulators (e.g., NYDFS, OCC, US Treasury, Canada OSFI, etc.) and other organizations (e.g., PCI) to have this test done regularly.
Operational maturity – Pentests can be used as a blueprint to achieve full operational maturity. This is typically an initial step (level 1 – discovery) in a comprehensive security operations maturity.
Diagram– Mazars’ Phased Approach to Security Operations Maturity
Disadvantages/limitations of pentesting
Particularly if done incorrectly, they include:
Trust – Organizations must trust the penetration tester. For example, a number of organizations offer similar services online. How much do you trust them to perform the proper level of internal due diligence and quality controls to ensure that your data is safe? This is a critical step.
Planning – It’s crucial for the test to be performed by an experienced team with appropriate planning and scope definitions. Otherwise, there could be unintended consequences, such as unplanned system outages, unneeded false incident response declarations or other issues that can harm the business.
Experience – Utilizing experienced pentesters will produce the most tangible results for organizations. Pentesting is about simulating real-world adversarial tactics; pentesters with more experience tend to produce more useful and realistic results for organizations. Further, tests that aren’t properly performed can corrupt production data, crash servers or produce a host of other adverse effects.
Third-party tests – Pentests may not uncover all vulnerabilities. For example, third- party systems may not be covered by those tests, giving the company a false sense of security. At Mazars, we’re aware of these limitations, which is why we offer additional services such as HITRUST Compliance and Third-Party Risk Management (TPRM) programs.
At Mazars, our crisis and dispute management teams utilize expert resources throughout different sectors and bring significant industry knowledge and experience to any project. Our cybersecurity and risk management specialists provide security services specifically designed to detect, defuse in real time and address potential problems.
Whether an external or internal pentest, our hand-picked team members help clients prepare for, mitigate against and manage all manner of threats to their businesses.
We recognize that companies often face a balancing act between risk and rewards. As part of our engagement process, we first listen and evaluate existing challenges to identify potential solutions.
We always strive to ensure that our end products and deliverables meet our clients’ objectives and exceed their expectations. Passionate about delivering value to our clients, we are committed to offering:
Free scope/objective assessment
A tailored approach to fit our clients’ specific needs
Creative, high-quality and cost-effective deliverables
Honest insight into alternative (strategic) solutions
A dedicated, highly qualified team supported by specific industry/regional expertise
The information provided here is for general guidance only, and does not constitute the provision of tax advice, accounting services, investment advice, legal advice, or professional consulting of any kind. The information provided herein should not be used as a substitute for consultation with professional tax, accounting, legal or other competent advisers.