Worldwide cybersecurity spending will reach $124 billion in 2019. However, many executives don’t know if they are spending in the right areas and on the right solutions to reduce their company’s cyber risk. Cybersecurity testing reveals the true ramifications of a breach to your network.
Sleep better at night. Our tailored cybersecurity testing illuminates your system’s weaknesses so you can address them, clearing the way for peace of mind.
BitSecure's range of cybersecurity assessment and penetration testing services can help identify all areas of vulnerability and help you to mitigate the threat of attack.
Download Penetration Testing Security Plan
We offer six confidence-building core categories of real-world testing.
Pen-testing of cloud-based apps
Penetration testing, the practice of testing a computer system, network, or hosted application to discover vulnerabilities that may be exploited by hackers, is a necessary evil these days, when security breaches are making the national news and hacked companies, such as Home Depot, have to pay out big settlements.
The value of this type of testing is that it keeps the security team on its toes and allows it to understand issues as they arise. Compared with the cost of recent settlements, pen testing is cheap insurance that one's security is the best it can be and that any vulnerabilities will be identified and corrected ASAP.
The growth of the cloud has led to some interesting angles on pen-testing. Cloud-based applications need to be pen tested, as do their on-premises counterparts. However, pen-testing applications that run in public clouds come with some complexities you must deal with, including legal and technical obstacles. To help address the challenges, here are five steps on how to approach cloud-based pen-testing.
Understand the policies
Putting private clouds aside, for now, public clouds have policies related to pen-testing. In many cases, you must notify the provider that you’re carrying out a test, and it puts restrictions on what you can actually do during the pen-testing process. So, if you have an application that runs on a public cloud and would like to pen test it, you’ll need to do some research first regarding the process your cloud provider recommends. Not following that process could lead to trouble. For instance, your pen test will look a lot like a DDoS attack, and it may shut down your account.
All cloud providers proactively monitor their infrastructure for anomalies. In some cases, humans may give you a call to find out what’s up. In most cases, cloud service providers have automated procedures in place that shut down the system without warning when it perceives a DDoS attack. You could come into the office the next day and find that your cloud-delivered storage systems, databases, and applications are offline, and you’ll have some explaining to do to get them back up and running.
Under the Privacy Act 2009, it states under the privacy obligations that an organisation must take reasonable steps to protect personal information from misuse, interference, loss, from unauthorised access, modification or disclosure.
Appropriate steps should be taken to ensure third parties meet Privacy Act obligations.
Create a pen-testing plan
Those who plan to do a cloud application pen test first need to create a pen-testing plan. Items covered in the plan should include:
Application(s): Identify and include user interfaces and APIs.
Data access: Identify how the data will be pen tested through the application or directly to the database.
Network access: Identify how well the network protects the application and data.
Virtualisation: Identify how well the virtual machines isolate your workload.
Compliance: Identify the laws and regulations you need to comply with within the application or database.
Automation: Identify the automated pen-testing tools (cloud-based or not) that will be employed for the pen test.
Approach: Identify the application admins to include or exclude in the pen-testing. If excluded, it could be more telling to see how they react, thinking that it’s a real attack. However, most application admins resent this approach.
The test plan should be agreed to by the pen-testing team, and each part of the plan should be followed. Any exceptions that occur are really part of the results, such as an application admin seeing the pen test occurring and blocking access for the pen-testing team.
Selecting the right pen-testing partner
Any penetration testing company worth their salt will conduct a thorough scoping exercise to flesh out your goals and objectives, as well as properly ascertain the size and breadth of the assessment.
A common practice is for clients to request a black box (testing without prior knowledge) test. While in some cases this is beneficial, it usually ends up costing you a lot more money for less value. An ethical penetration testing company will guide you to get the most value out of your penetration test.
In conclusion, a penetration test is a critical activity that requires planning, well-defined methodologies, and a trusted organisation. When selecting a penetration testing partner, make sure that they work with you from build-up, where detailed requirements are defined, all the way to close-down, at which point you should have a clear path and understanding of the next steps you need to take to make sure the penetration test meets your business requirements.
While this is an obvious step, the outcome of this whole process is a list of vulnerabilities that are discovered by the pen-testing. The list may run well past a hundred issues, or as few as two or three. If there are none, then your pen test may not be as effective as it should be, and you may want to re-evaluate and retest.
Vulnerabilities found while pen-testing cloud-based applications typically look something like this:
Access application data allowed using xxxxx API.
API access granted after 10 attempts.
VM not isolating the workload properly.
Application password guessed using an automated password generator.
VPN allows outside access if DNS is disabled.
Encryption not compliant with new regulations.
Of course, the types of issues we find will vary, depending upon the type of application and type of pen test performed.
Also, keep in mind that there are different layers. The application, network, database, storage system, etc., should be tested separately, and issues should be reported separately. The layers should also be tested together to see how they interoperate and if there are issues there as well. Report what occurred at each layer, holistically; it’s a best practice.
Make sure to work with your cloud provider regarding not only the legal and policy issues that are part of pen testing, but also how it recommends you perform pen-testing on your applications in its cloud. Most will have a process to follow that will yield the best results from your efforts.