Security spending is a priority at many organizations today. Looking to adhere to best practices and compliance mandates, more businesses are instituting annual network penetration testing. This move to be proactive is cause for optimism. Yet, many businesses could experience a more effective and cost-efficient penetration test with deeper understanding of their own networks.
That’s what the information in this article will help you achieve.
What Do Network Penetration Tests Accomplish?
The cost of network downtime, including labor and impact of services, ranges from $20,000 to $200,000 per hour. It’s no surprise, then, that many businesses are mandating network pen testing.
In network penetration testing the primary aim is to identify exploitable vulnerabilities in networks, systems, hosts and network devices (i.e.: routers and switches) before hackers discover them and wreak damage.
Thorough network penetration testing:
- Reveals real-world opportunities for hackers to compromise systems and networks for unauthorized access to sensitive data or even take-over systems for malicious/non-business purposes.
- Simulates an attack to understand the level of risk for your organization
- Helps address and fix identified network security flaws.
The idea is to view your systems through the eyes of both a hacker and an experienced network security professional to discover where your security posture can improve.
Before you take that step, though, it’s important to have a clear and accurate understanding of your own network(s).
Understanding Your Network’s Complexity
The network is often the nerve system of an organization — storing its information and driving its communication. Your network allows everyone in the enterprise to access tools they need to be successful. At the same time, your business must make sure that no one gains unauthorized access.
Network penetration testing helps by taking a comprehensive look at:
- Network routers
- Virtual Private Networks
- Content Filtering/AV
- Network Switches
- Intrusion Detection Systems
- Intrusion Prevention Systems
The size and complexity of the network will dictate the time and cost of the network penetration test. Thus, an organization can better budget and plan for pen testing by providing more detailed answers to the security consultants’ scoping questionnaire.
Providing a comprehensive network architecture map — depicting external, internal, and wireless — to your consultant is a good starting point too.
Penetration testing begins with information gathering about the network. For example, your testers will need to take into account the number of live IP addresses. Typically host and service discovery includes initial domain foot printing, live host detection, service enumeration, and operating system and application fingerprinting.
The challenge with understanding your network’s complexity is that networks are continuously changing shape. The number of features, length of routing table configurations, and firewall configurations can all grow and shift. Each added piece of equipment adds complexity, greater potential for latency, and can require the introduction of more proprietary code.
At the same time, operators often only fully understand the part of the network they specialize in. Some enterprises implement multi-vendor networks to bring down initial costs, but this choice can lead to higher operating risk. Ultimately, as the IT infrastructure gains complexity, an overall picture of the entire network becomes increasingly elusive.
This network complexity further reflects more than the physical network itself. The management system, human operators, and even external interfaces all represent additional facets to be considered in penetration testing. It’s important to share and weigh these factors with your consultant before your penetration testing gets underway.
This complexity also influences security rules, which can lead also to greater inconsistencies or conflicts.
In a study of 127 IT professionals, more than half of respondents “from mid-sized (identified as 50-2500 employees) and enterprise organizations (identified as 2500+ employees) organizations (identified as 2500+ employees) stated that complex policies ultimately led to a security breach, system outage or both.”
This effectively means that the very attempts to secure the network actually led to the problems they were trying to avoid!
No wonder a familiar phrase in our biz is, “complexity is the enemy of security.” We’re much bigger fans of predictability and transparency.
Ultimately, when you have a better view of your network complexity going into your pen test:
- Your testers can be more efficient
- You can control budget more easily as you can better dictate scope
- You will better understand what the testers are doing and why
- Your questions of testers can be targeted and specific — saving time on both sides of the table
- Your remediation efforts may be expedited since you will be prioritizing and making changes based on a deeper comprehension of how all network elements are integrated.
Network Penetration Testing with RedTeam
RedTeam Security‘s comprehensive method for network penetration testing covers the classes of vulnerabilities in the Penetration Testing Execution Standard (PTES) and the Information Systems Security Assessment Framework (ISSAF), including but not limited to: CDP attacks, MIME testing, DNS enum/AXFR, SMTP relay, SNMP recon, port security, brute force, encryption testing and more.
Our consultants produce their network pen test findings in written reports and provide your team with the guidance necessary to effectively remediate any issues we uncover–and remediation testing is always 100% free.