Risk assessment is part of a holistic approach to cybersecurity and a requirement of many IT standards. Penetration testing is one of the most common (and often required) ways to assess cybersecurity risks. It’s hard to underestimate the role of penetration testing in risk evaluation: thorough testing helps you identify, assess, and prioritize risks.
In this article, we discuss three common types of security testing for risk assessment and determine their pros, cons, and use cases. We also investigate types and stages of pentesting and share best practices to make a cybersecurity risk assessment effective and painless.
Risk assessment is a process that includes:
- identifying vulnerabilities, threats, and risks that can cause any sort of damage to the organization
- estimating the probability of risks being realized
- defining mitigation priorities by risk severity and the likelihood of occurrence
In risk management, assessment is preceded by framing (establishing the context of risks) and followed by responding to and monitoring these risks.
Assessing risks and threats is one of the most important steps to improving cybersecurity. It’s an ongoing process that helps you evaluate your security controls, detect issues, and estimate their impact. There are several major reasons for conducting an assessment:
- To prevent hacks, data breaches, and data loss. A periodic review of cybersecurity controls allows you to detect and close off vulnerabilities before hackers can exploit them.
- To examine network security. An independent risk assessment provides an unbiased examination of your network’s security controls. It helps you update knowledge on your protected environment, especially after significant changes like deploying new software, installing new hardware, or moving to a new location.
- To improve decision-making. Determining the impact of discovered risks is an important part of a risk assessment. This information is useful for making further decisions related to cybersecurity: budgeting, planning improvements, prioritizing fixes, etc.
- To reduce spending on cybersecurity. An assessment is a time- and cost-consuming procedure. But in the long term, it can save you from more severe losses by preventing data breaches, hacks, and compliance violations.
- To ensure compliance. Risk management is part of many laws, regulations, and standards including NIST Special Publications, HIPAA, PCI DSS, and GDPR. Failing to comply with those that are relevant to your business may lead to substantial fines.
The procedure and tools for risk assessment are unique for each organization and project. However, there are three stages that must be implemented in any case.
The first stage is identifying what you need to protect. This is an administrative procedure that can be carried out by a security team. The result of this activity is a list of all the data and resources that need to be protected. Usually, this list includes:
- Personally identifiable information of clients/customers and employees
- Financial data
- Trade and industrial secrets
- Critical infrastructure
- And more
The second stage of risk assessment is detecting vulnerabilities. In cybersecurity, this can be done by means of vulnerability scanning — an automated process of identifying issues in a security system based on known flaws in software and hardware.
As a result of this analysis, you’ll get a list of vulnerabilities in your environment.
The third and final stage of risk assessment is defining threats and assessing risks. During this stage, you need to:
- Analyze discovered vulnerabilities
- Work out possible exploits
- Estimate the likelihood of risks occurring
- Assess the potential consequences for the business of a risk being realized
The result of this risk assessment is a list of discovered risks prioritized by their severity and potential impact on the business. This list is a foundation for conducting risk mitigation activities, prioritizing security fixes, and implementing new security controls. But before we can compile this list, we need to choose a way to assess risks.
There are three popular approaches to conducting the third stage of risk assessment. We’ll analyze the capabilities of, workflows of, and reasons to choose each of these approaches in the next section.
There’s a wide range of security practices and approaches that can be applied for risk assessment. The three most popular are:
- Penetration testing
- Red team testing
- Risk-based testing
Let’s learn about these testing approaches, their pros and cons, and the differences between them.
Penetration testing simulates an attack on the organization’s cybersecurity systems and applications using a wide range of manual techniques and automated tools. During this process, testers determine possible exploits for vulnerabilities and estimate the potential damage they can cause. A pentest may also include vulnerability scanning. The main goal of pentesting is to determine and assess all cybersecurity threats and risks for the organization.
Red team testing has a lot in common with pentesting. This approach also simulates an attack on the protected environment, but this attack is more targeted, controlled, and thought-through. Instead of exploiting all vulnerabilities, the testing team chooses what type of data they want to gain, which security issues to exploit, and how to simulate the actions of advanced threat actors. Red teaming can be conducted only by a third-party testing team because the point is to get an external take on security controls. One of the most popular use cases for red team testing is to evaluate security improvements made after penetration testing. But it’s unreasonable to use this type of testing to examine the entire protected environment.
Risk-based testing is an approach to security testing that prioritizes activities based on discovered threats and risks. With this approach, testers and security experts agree on potential risks and grade them by the level of impact. Risk-based testing is best to apply when a project has severe time limitations or you need an urgent risk assessment and security improvements.
Let’s compare the effectiveness of these testing approaches in terms of risk assessment.
Red team testing
Assessing all threats and risks
Assessing risks in a particular area
Prioritizing tests to cover the most probable and dangerous risks
Periodic assessment; security checks after changing the environment
Deep investigation of certain vulnerabilities and threats
Limited time for security assessment; need for urgent testing and fixes
Internal security team or third-party assessor
Internal security team or third-party assessor
Automated and manual exploits and security testing tools
Mostly manual exploits; may include simulated social engineering and physical attacks
Mostly automated security testing tools
A comprehensive report on detected risks, their level of impact, and possible losses if those risks are realized
A report with a deep evaluation of a certain security system or a component of the tested environment
Acceleration of security testing; fast risk mitigation and security improvements
Out of these three approaches, penetration testing for cyber risk assessment is the most balanced in terms of time consumption, costs, risk coverage, and results. Also, regular pentesting is a requirement of NIST, HIPAA, PCI DSS, GDPR, and other regimes.
Before conducting a penetration test, it’s important to know about the types of pentesting and the basic workflow for this procedure.
There’s more to pentesting than just simulating a hacker attack. Depending on your requirements, desired results, and goals, you need to select the appropriate type of pentesting, then consider what methods you’ll use and what issues you may encounter.
There are three types of penetration testing:
- White-box testing — The testing team has complete knowledge of the targeted environment, including knowledge of the software architecture and source code. They don’t need to conduct additional research or vulnerability scanning, thus saving time for more testing activities. Also, instead of vulnerability exploitation, they only need to prove the possibility of exploitation. White-box testing can be performed by in-house security specialists or third-party vendors. This type of testing is useful when you want to test your security controls against an insider attack. White-box testing methods include DoS attacks, memory forensics, physically breaking in, reverse engineering, fuzzing, etc.
- Black-box testing — The testing team has little to no knowledge of the environment. Therefore, they have to use any publicly accessible information to penetrate it. In other words, this pentesting variation simulates an outside hacker attack. Black-box testing takes a lot of time but provides the most objective assessment of security vulnerabilities and risks. You’ll need an outside organization to conduct such pentesting. Moreover, your IT specialists have to be unaware that they’re being tested. Black-box testers use the same methods as white-box testers, except for the addition of physical attacks. They also employ vulnerability scanning, social engineering, brute forcing, and privilege escalation as well as create or use existing malware to penetrate the protected environment.
- Gray-box testing — This is a combination of white-box and black-box testing in which the testing team gets limited data on the environment they have to penetrate. For example, you can provide testers with documentation of applications you use but no access credentials or source code. This type of testing takes less time compared to black-box testing but provides only partial code coverage compared to white-box testing. Gray-box testing also has to be conducted by a third party. Testers that conduct this type of security assessment use methods from both white-box and black-box testing.
Each of these testing types has its own workflow. However, similar to the risk assessment procedure, there are three phases common to any pentesting.
First, there’s a pre-attack phase that’s devoted to preparation: mapping the network and perimeter, scanning ports, researching exploits and known vulnerabilities, selecting tools, etc. In white-box testing, this phase also includes gathering information on the targeted organization and its employees. Preparation is the most time-consuming stage of penetration testing, but it’s also the most important.
During the attack phase, testers attempt to compromise the target network: breach the protected perimeter, acquire or escalate privileges, access data, and erase traces.
Finally, the post-attack phase consists of assessing potential damage and reporting on the results of the pentesting process. Such a report concludes the risk assessment process and usually includes:
- Discovered vulnerabilities (if scanning for them was included in the scope of pentesting)
- A description of the methodology and tools used during testing
- A list of exploits (both used and possible)
- Analysis of the risks these exploits may pose
- An assessment of the possible business impact of the discovered risks
With this report, you can proceed to the next stages of risk management: risk mitigation and control. For example, using pentesting results, you can:
- Assess the current state of security controls
- Observe how your security team reacts to a hacker attack
- Make the case for increasing your cybersecurity budget
- Define and prioritize security improvements
- Create hotfixes and take long-lasting mitigation actions
As we can see, pentesting is a great method for assessing cybersecurity controls and risks. But it’s important to keep in mind the risks of penetration testing. Let’s find out about them in the next section.
If conducted by an inexperienced tester or without due attention, penetration testing can bring more damage than benefits. You need to consider the major drawbacks of this testing before conducting it.
Here are some key penetration testing risks:
- The high cost of a mistake. Pentesters work with sensitive data and infrastructure. If tests aren’t carried out properly, they can crash servers and expose or corrupt data. It’s a security risk to be considered, especially during black-box testing.
- Unrealistic conditions and biased results. If your security team knows about an upcoming test or conducts the test themselves, they may prepare for it. The point of any security assessment is to get a reality check and prioritize future improvements. If pentesting is conducted in an unrealistic environment, there’s little hope for meaningful results.
- Time and scope limitations. As with any process, there’s a technical task for pentesting and a due date for preparing a report. This limits the number of exploits pentesters can use, especially if you employ a third-party testing organization. Hackers, on the other hand, usually have unlimited time to plan an attack. Therefore, you can’t rely on the results of one instance of penetration testing to improve cybersecurity, especially if it was severely limited in time.
Still, pentesting brings more benefits than risks to the table. Also, there are several best practices that can help you handle the issues we’ve discussed.
Each testing team has a unique penetration testing methodology, and each procedure has a unique outcome. We’ve prepared a list of actions that can help you get the best result from this security evaluation.
1. Employ a qualified third party to conduct penetration testing.
Running in-house testing is tempting because it saves lots of time and money. However, it doesn’t guarantee unbiased results due to:
- Potential lack of expertise
- Unrealistic conditions
- Inability to simulate a real attack
With a third-party organization, you’ll get dedicated pentesters and a fresh take on your security controls. Before starting a pentest, discuss with your vendor your scope, budget, time limits, and results of previous protesting.
2. Aim for maximum test coverage.
Any environment works as an inseparable system, and therefore it should be tested as a system instead of independent parts. If you’ve tested and secured a piece of the environment, there’s always a risk that hackers will still be able to reach it via the operating system, hardware, or vulnerabilities in other software. Low test coverage and partial testing lead only to a false sense of security. It’s reasonable to conduct such testing only when you need to recheck security patches made after penetration testing.
3. Don’t rush test preparations.
During the pre-attack stage, testers assess vulnerabilities, weaponize themselves, and prepare test scenarios. But from outside the testing team, it might look like nothing is happening as there’s no actual testing going on. It’s okay to ask about the testing process from time to time, but make sure not to rush the preparation stage. Remember that this is a time-consuming process. For black-box testing, this stage sometimes can take up to 90% of the total estimate.
4. Use relevant pentesting standards.
Each tested environment requires a unique approach. Still, there are world-renowned and industry-recognized standards for penetration testing. Use these standards to guide your internal team or make sure your third-party vendor uses it. The most popular ones are:
- Penetration Testing Execution Standard
- OWASP Web Application Penetration Checklist [PDF]
- PCI DSS Penetration Testing Guidance [PDF]
- CREST Penetration Testing Guide [PDF]
5. Halt development processes when pentesting.
Pentesting uncovers threats and risks within some context in the environment. If you decide to change existing parameters or deploy new software during the test, it will jeopardize the result. It’s best to finish your development activities before the test to include new pieces of the environment in the testing scope.
6. Review the integrity of security measures and data after the test.
After the test, the testing team should cover their tracks: close created backdoors, delete exploitation scripts and temporary files, reverse settings changes, etc. However, you should double-check that:
- Security holes created for testing purposes are closed
- User accounts for testers are deleted
- Compromised credentials are changed
If you choose a highly skilled testing team, use the practices we’ve listed above, and implement controls to mitigate discovered risks, you’ll take your cybersecurity to another level!
7. Don’t neglect remediation measures.
Penetration testing vendors often provide suggestions for risk remediation in their reports. If testing is conducted rarely (once a year or less) or includes a large scope of tasks, it will probably uncover lots of critical risks, and remediation actions will require a substantial amount of time and money.
Of course, in order to cut costs, you can postpone remediation or fix only the most critical issues. But if you feel you don’t have enough resources to act upon the results of pentesting, it’s best to limit yourself to internal vulnerability scanning instead of conducting a full-scale pentest.
Risk assessment is a hard-to-execute but vital part of the risk management process. It helps you identify, assess, and prioritize the mitigation of an organization’s cybersecurity risks. There are a lot of methods for conducting a risk assessment, including penetration testing, red team testing, and risk-based testing. But it’s hard to underestimate the importance of penetration testing in this process: it allows for complex evaluation of security controls and simulating a real-world attack on the protected environment.
At Apriorit, we have vast experience conducting both penetration and security testing. Our team includes testers with Systems Security Certified Practitioner certifications. Our combination of theoretical knowledge, practical experience, and motivation to study new testing tools and approaches allows us to conduct the most thorough tests and assessments.
Contact us to discuss your next security assessment with penetration testing!