“We don’t need penetration testing, we’re so small” is what we often hear when speaking to prospects about security assessments. To many security folks, this is simply absurd. Vulnerabilities exist in software, hardware, and configurations regardless of organization size. Furthermore, there are now regulatory requirements for penetration testing to be conducted regardless of organization size.
So, does a small business require penetration testing? How can a small business make penetration testing effective given limited resources? In this article, we will explore some aspects of penetration testing and provide some tips on how to make it effective for a small business.
Before that, what exactly is penetration testing?
In penetration testing, we attempt to look for vulnerabilities in web or network systems and applications that are exploitable by an attacker. The use of tools and publicly available exploits helps a penetration tester to be more effective in the assessment.
A vulnerability assessment is a surface-level scan of the web application or network ports for indicators of vulnerabilities such as version numbers and open ports. Issues reported after a vulnerability assessment may contain false positives as they are only based on initial indicators. Penetration testing takes one step further to attempt to exploit the found issues to confirm that they are indeed vulnerabilities.
Generally, we recommend performing penetration testing before a new system is commissioned or when there are significant changes to the environment or code. For the existing system, it is recommended to perform it annually, with more frequent testing for sensitive systems such as systems dealing directly with critical processes, privacy data, or financial data. It is always recommended to perform both automated and manual penetration testing to have a comprehensive assessment result.
Considerations for Penetration Testing
Penetration testing can be costly and may be time-consuming depending on the complexity of the system. As small business owners will always face resource constraints, penetration testing should be strategized to maximize its benefit. Business owners can consider the simple steps listed below to make an informed choice.
1. Gather the organization’s critical information system assets
Many of the small businesses we work with do not have the full picture of what information systems they are running to power their business. These systems could range from an e-commerce web application bringing in revenue to an internal Human Resources (HR) system to manage employee time-off. These systems could be run directly by the business or could be a managed service by a provider. Small businesses should focus testing on the systems run by themselves as a managed system may have already been tested by the service provider. Besides, a managed service provider likely would not allow penetration testing on their platform without explicit permission from them. (Check the T&Cs)
2. Determine the possible threats
Once you have identified the critical systems, determine the possible threats that the system may face. You can start by determining if the application is Internet-facing as it will mean that the application can be attacked by anyone in the public. Focus on Internet-facing applications/networks.
The more exposed interfaces will also mean more threats to the system. A system with only a web application (exposed web service) may not be as vulnerable compared to a system with multiple services (web, email, database, etc.) running on it. Focus on the system with more interface exposure.
Next, determine which are the targeted users of the application. If an organization does a good job vetting and auditing its users, they will pose less threat to the system than external users who have little incentive to use the system in good faith. This difference makes it crucial to pay more attention to systems which allow external users. Focus on applications used by external users.
Lastly, systems or networks dealing with sensitive information cause more damage when compromised. If you need to make a choice between a system storing sensitive information such as Personal Identifiable Information (PII) or credit card details vs a system storing public information, focus on the system storing sensitive information.
One more thing, you may not classify regulatory requirements as threats but you will once they start costing you money or hindering your ability to operate your business. Focus on regulatory requirements.
3. Prioritize threats by risk level
“I’ve identified the threats and there are so many of them, which ones do I tackle first?” might be the question that is bothering you right now. To tackle this problem, business owners have to prioritize them according to risk level. IT risk is determined by the impact the threat will bring to the network or system and the likelihood of it happening.
Ultimately, it is the risk to the business that we are talking about. Systems with high-risk threats to the business should always be addressed first, followed by medium and low threats. Risk assessments can be complex but achievable once broken down into simple steps.
If there is no requirement to hire a third party for independent testing or there are some in-house security assessment expertise, small business owners can consider using open-source tools to conduct penetration testing on their own networks or systems. The following list contains some tools that we have found to be particularly effective in our assessments and are widely used in the cyber security industry at large:
- Kali Linux
- Burp Suite Free
- Zed Attack Proxy (ZAP)
The tools may be free to use but it is important to be able to interpret the results. Being able to identify false positives will save a great amount of time. I have seen customers who, before turning to Horangi, panicked over the inability to resolve a security issue that turned out to be a false positive after we dug deeper.
Penetration testing is challenging for people who aren’t accustomed to the processes, methods, and meaningful use of the test findings. Despite these hurdles, the right research, tools, and people can provide you valuable data to refine the security of your top business assets.