Cyber attacks and online security breaches are a necessary consideration for website owners, regardless of the size of the business. While many security packages may claim to offer rapid response to potential attacks or a backup of valuable data, any security system becomes redundant if you are not aware of the full scale of risks you really face. However advanced your security system and level of compliance, even the most robust website is potentially open to an attack, when faced with highly skilled hackers.
Penetration testing is a valuable tool in establishing long term website security, by giving businesses an accurate simulation of what may occur in the event of a breach. Through a controlled, simulated breach on your site, the hidden risks and shortfalls in existing security are quickly made evident. Pen tests will also reveal the full scale of the impact following a security breach, and thus, should be an integral tool in the development of any incident response plan. As one of the foremost developers of penetration testing methodologies, NCC Group’s penetration testing specialists offer a comprehensive assessment of your site’s security.
Why carry out penetration testing?
Penetration testing is an essential way of highlighting areas of vulnerability and assessing existing security levels. However, pen tests are more than just a way of red-flagging concerns or carrying out a security audit. While these tests actively identify possible factors that could lead to a security breach, they exceed standard security assessments by also offering pro-active input into how such flaws could be tackled. After identifying limitations, pen testing will subsequently attempt to exploit them, in order to verify the extent to which your website could be damaged, and give an accurate quantification of the impact it may cause on your wp-content and data.
The wider scope of penetration testing also enables specialists to examine multiple attack vectors and establish which potential combination of criteria may give rise to a damaging security breach. A multi-level assessment and inspection of threats, and the consequences that may arise from them, gives businesses the ability to counter risks with real-world insight into security issues, as well as improving the responses to any attacks that do occur. Pen tests are also valuable in forensic analysis following attacks, as they can be used to re-create attack chains and identify what may have occurred.
Case study: Financial security
A well-known European financial organisation had an established and secure local corporate network, which was regularly audited to ensure full compliance with all cyber security requirements, up to date certification and regular installation of patches and antiviral software. While the internal site had a robust security set up, the main corporate website itself was not as vigilantly maintained, and the remote location of the client’s web server was assumed to be secure due to its remote location. Consequently, pen testing was disregarded as a waste of valuable resources, as the organisation’s IT department believed that the internal local network would not be compromised in the event of any breach of the web server.
Following an attack on the corporate website server, hackers were able to insert a malicious iframe into the website source code, while not affecting the site’s visual appearance. This led to infecting all users, including local users on the organisation’s local corporate network, with a back door, undetected by antivirus software or their firewall. This enabled hackers to easily access confidential financial data from the local network, leading to widespread damage to both customers and the internal organisation.
Pen testing in this instance would have proved to be invaluable to the organisation, by revealing the flaws in the assumed stability of the existing security set up. The complacency of the IT department led to them underestimating how far a potential attack could reach within the website. Penetration testing would have revealed and demonstrated the opportunity offered to hackers to access the secure local network.
For future security, pen tests would enable the organisation to not only identify the overlooked vulnerabilities, but also explain and address the methodology of the attacks used, to give rise to appropriate recommendations that could subsequently be implemented for future security.
Case study: Employee data
A large staffing firm in the medical industry held a national database of employment placement information, including extensive sensitive data, such as social security information, personal identification and background check details and employment history. While the database itself was regularly audited for security compliance, the firm chose to carry out penetration tests to ascertain whether there were any areas that would need to be addressed for the future.
An external penetration test, emulating the actions of a hacker was carried out, and identified several areas of concern. The website’s account registration system identified non-existing account information, allowing hackers to potentially identify what would be valid from this information. Misconfiguration of the site also allowed remote debugging, enabling hackers to gain control of the site. Password storage could also easily be abused, and a clear text entry system for passwords was highlighted as an area which would allow account security information to be intercepted.
An internal penetration test was subsequently carried out to assess what a hacker could do once inside the secure system. This test revealed the extent of damage that the valuable data was susceptible to. The internal server was found to have several easily guessable passwords, which could be quickly cracked and allow information from the host files to be read and written. This would also expose vast amounts of sensitive data and permit unauthenticated access to secure information.
By identifying several key vulnerabilities and demonstrating the scope of damage that could arise from a security breach, the penetration test allowed the firm’s IT department to address these issues. Once this was completed, further testing was carried out to validate and confirm that all issues had been successfully resolved.