It’s no secret that constantly evolving security threats pose dangers to your organisation, but you may not be aware of the high rate of occurrence of cyber attacks and the likelihood that your organisation’s ‘secure’ network system may be targeted next.

A recent report by Rapid7, an IT security company, found that two thirds of software networks are vulnerable to basic hackers, leaving client data, company passwords, intellectual property, stored data and even banking data liable to be accessed by ‘hackers for hire’. The Rapid7 report states the reason for the vast amount of susceptible organisations is that most IT infrastructure contains the same software and hardware components. Therefore, “all networks tend to be vulnerable to the same common misconfigurations that have the same vulnerability profiles.” The recent WannaCry ransomware attack demonstrates precisely the dangers of the global expansion of hacking operations.

Fortunately, the ‘homogenous environment’ of network systems also allows for easy defence mechanisms through regular security testing and investigation into network vulnerabilities.

With the risk of cyber incidents for small and large organisations growing, and the significant potential impact a cyber incident can have for the future of your organisation, it is imperative that security testing be regularly conducted for the viability and protection of your network systems.

Here’s an overview of some techniques that may be conducted either by a manual tester or a software program to test your network’s security and an analysis of the benefits of each.

What is security testing?

Security testing involves the probing and assessment of information systems with the end goal of exposing possible vulnerabilities in these systems. This in turn provides an analysis of which security measures would be most beneficial to your organisation and its needs. There are a variety of ways this can be done depending on the nature of the information system and the context that the system is working within.

1. Network vulnerability scans

This test is a simple method to quickly detect common vulnerabilities using a scanning tool which reports and ranks the vulnerabilities with severity ratings.

The scan examines a computer’s source code with the purpose of uncovering possible mistakes in the software’s initial development phase. This may involve the use of third party source code analysers to uncover known insecurities in file patterns or tools specifically designed to analyse abnormal code. To complement the scan, the system’s code can be wholly or partially reviewed by a manual tester.

This method can be effective to detect early problems if undertaken regularly. However, the effectiveness of network vulnerability scans is limited as its database contains only known vulnerabilities, and are unable to detect unreported flaws.

2. Penetration testing

Penetration testing involves testing an organisation’s technology and information security infrastructure by allowing ‘skilled hackers’ to uncover possible vulnerabilities that may expose the system to ‘rogue hackers’. ‘Skilled hackers’ or ‘Testers’ attack the network services and applications to exploit vulnerabilities that network vulnerability scans may miss. This provides a realistic understanding of the penetrable flaws in a network system. Penetration testing is one of the more expensive and timely methods of security testing but can also be the most effective if testers are given a wide scope of systems to ‘attack’ and investigate.

3. Examination of a local instance of the application

By running an application, a Tester can investigate its operation and then probe it to uncover how users interact with the application. This can expose potentially vulnerable code paths which may be missed by other tests.

4. Security configuration reviews

Security configuration reviews involve the examination and investigation of an information system’s security configuration and the communication avenues between programs in their security critical settings to ensure that these processes are secure.

5. Scanning for vulnerabilities in supporting third party services and libraries

This important step aims to protect your system from vulnerabilities in third party software and can involve a variety of processes and tools depending on the types of software you are using.

The benefits of security testing are significant. Early detection of vulnerabilities and the implementation of personalised protection measures will not only save your organisation from potential administration, software and legal costs in the future but will also protect the sensitive data of your organisation and its clients.

In today’s constantly evolving digital landscape, organisations of all sizes are more vulnerable than ever. Security testing is a tactic organisations can use to ensure baseline security to protect data assets and network systems from being hacked or accessed by intruders.

Sainty Law’s expert Cyber Resilience Framework can assist with your choice of security testing and cyber protection. Contact us to speak to our specialised cyber security team.

Christopher Camejo, ‘Making Sense of Security Testing: Scanning and Penetrating Networks and Applications,’ 14 June, 2016 in Security Magazine,<http://www.securitymagazine.com/articles/87192-making-sense-of-security-testing-scanning-and-penetrating-networks-and-applications>.
Stephen Bradshaw, Hacking for good- What is security testing? 2 March 2017, Australian Government Digital Transformation Agency,<https://www.dta.gov.au/blog/what-is-security-testing/>.