In light of growing high-profile cyber security attacks in Australia, a number of organisations and enterprises are looking to improve their cybersecurity penetration testing programs. Gone are the days when the annual vulnerability scan was sufficient - Australian businesses these days need a robust cybersecurity penetration testing program that:
- Continually runs throughout the year to accommodate changes in their environment; and
- Encompasses the latest tools, techniques and cybersecurity penetration testing methodologies to ensure test cases reflect the latest in offensive security techniques and real world attack scenarios.
A good cybersecurity penetration testing program will also provide the following:
- A list of vulnerabilities in your environment, ranked in terms of criticality;
- Test the effectiveness of your security controls;
- Greater visibility of your environment and the potential to identify security relevant changes;
- Understand if the attack is isolated to one area or if it is an ongoing threat.
A note on Cybersecurity Penetration Testing versus Vulnerability Scanning:
A number of organisations can be misguided over the capability of vulnerability scanning and its level of cybersecurity assurance. While vulnerability scanning has a place in an ongoing cybersecurity penetration testing program and cybersecurity strategy, actual testing will determine if the vulnerability can be exploited. A vulnerability scan will pick up on an issue, but without demonstrating that it can be exploited, organisations will not have full understanding of the impact.
The key criteria to address when building a Cybersecurity Penetration Testing program:
Organisation specifics
If you have a particularly complex organisation, perhaps with a number of compliance measures or mergers/divestment activity, it is likely that you do not have full visibility over your cybersecurity vulnerabilities. A cybersecurity penetration test is a common request as part of due diligence. When we work with our customers to build ongoing programs, we assess the following criteria:
- Data - how large is the organisation, how much data do they have and how much if this is confidential. Most critically, what types of data or access to, would be lucrative for an attacker?
- Risk appetite - If your organisation is in a high-compliance vertical or requires certain security measures to be in place in order to be operational, your risk appetite is considerably lower than that of a small retail chain.
- Supply chain risks - if you connect with major government departments or large enterprises to conduct your business, i.e. mining or banking, then you may be a target for attackers and be used as a third party entry point. Understanding where your business sits in the supply chain is essential to managing your operational risks.
What types of testing should be included?
The types of cybersecurity penetration testing you should incorporate can vary from business to business. The following are examples of the different types of tests that one might conduct:
- Network (internal or external)
- Web application, API, mobile, rich application
- Cloud
- Wireless
- Embedded device
- Code review
- Social engineering - phishing, smishing and vishing
- Internal Infrastructure testing (for Zero Trust Architecture)
- External Infrastructure testing
- Red team covert attacks
- Purple Team - joint exercise with Red (Penetration Testers) and Blue (SOC) security teams
How often should you be testing?
Typically it is recommended to conduct cybersecurity penetration testing at least once a year which should include internal, external and cloud testing. However, depending on the speed in which your organisation is growing or undertaking digital transformation work - more tests on a quarterly basis (or even higher frequency) may need to be built in. Additionally, if there is merger and acquisition activity, cybersecurity penetration testing in the due diligence phase as well as merger integration phases, is recommended.
How Cythera can help build a robust CYBERSECURITY penetration testing program:
As part of a resilient security regime, companies across Australia are advised to run a robust cybersecurity penetration testing program that continually assesses their cybersecurity posture.
Not all cybersecurity penetration tests are the same, and finding a deeply skilled provider is not an easy task. At Cythera we leverage the many cybersecurity tools we have available in our Security Operation Centre, to go way beyond a simple vulnerability assessment, providing our clients with exceptional technical understanding that is not overly reliant on standard ‘out of the box’ automation tools.
Our technical experts intimately understand the perspective of the attacker, which allows them to anticipate where a potential attack vector might be. Sometimes the problem is less technical in nature, and instead could be a logic failure or process bypass that requires a human to step in and provide technical understanding.
Our team is skilled in maximising the impact of your penetration test at the absolute minimum price point through carefully understanding and refining the scope of engagement, sensitivities to any reporting requirements, delivery timeframes and any additional operating requirements.
Meet with the Cythera Cybersecurity Penetration Testing team to learn:
- How a skilled attacker’s lateral thinking leads to lateral movement on your network;
- Learn about the tactics and techniques used by hackers, cybercriminals and state sponsored adversaries;
- How to use a collaborative approach involving process and code auditing, to gain a much deeper understanding of the target scope; and
- How penetration testing can be used to educate the C-Suite and key decision makers about the security risks your organisation is facing in order to help build the business case for cybersecurity
In exchange for your time, and to thank you for choosing Cythera, we will make a $100 AUD donation to one of the following charities of your choice:
- Women’s Domestic Violence Shelter;
- First Nations Indigenous Development Fund; and
- Men’s Prostate Cancer Charity.
