Cyber Security Testing: Types Of Test and Planning
What is Cyber security testing?
Cyber Security Testing is designed to assess the security of your systems, identify vulnerabilities, recommend areas for improvement, and provide advice to help you conform with best practice security standards, and resolve security issues.
Depending on the type of security testing, the process can involve a combination of document and configuration review, automated testing tools, and manual testing techniques to evaluate your system’s state of security and produce a report detailing a recommended list of actions to improve your overall security posture.
Why Cyber Security testing is important
Security testing is a crucial step for businesses to identify vulnerabilities, protect themselves from cyber attacks, and improve their overall security posture, minimizing the possibility of a security incident occurring.
According to the Verizon Data Breach Investigations Report 2023, there were 16,312 reported security incidents and 5,199 reported security breaches in 2023 alone.
The overall cost of cyber attacks or a security incident occurring can be expensive, impacting your business and finances in multiple ways.
- There is often system downtime associated with a security incident while the incident is ongoing or being recovered from preventing you from continuing your day-to-day business.
- Your employee’s time may be consumed as you attempt to recover from an incident, or you may require expensive third parties to quickly respond to your incident.
- Depending upon the security incident you may have a loss of sensitive data, or intellectual property.
- There can be reputational damages in the aftermath of a security incident if your clients determine you can no longer be trusted.
- Depending upon the country you are based in, there can be legal or regulatory fines for not adequately securing your business and client data against potential vulnerabilities and threats.
- Insurance premiums can be impacted as a result of a security breach with your ongoing costs of coverage increasing.
Some companies never recover once impacted by a security incident and have to close. Taking a proactive approach to security, and arranging a test against your security measures, provides greater assurance that you will remain protected from the latest emerging threats.
The majority of security incidents originate from external threats, however, a large proportion of these cyber threats are the result of a non-targeted attack. This is where the external threat is using automated tools to target thousands of businesses, devices, or user accounts.
Avoiding being part of these large lists of targets is typically not possible, so ensuring you have a defense-in-depth security strategy that includes proactively looking for and resolving security issues is recommended.
Types of Cyber Security Testing
Security testing can focus on your business’s policies and processes, user training and awareness, but also more technical aspects such as mobile devices, operating systems, network security, and application security.
A security assessment can be designed to target multiple systems with different levels of access permissions, intended aims, and outcomes. It is important to arrange the right type of test which is suitable for your security requirements.
Risk Assessment
A Risk Assessment is a process of reviewing each of your existing processes, systems, assets, and users. This process will cover the specific details regarding the purpose of each target system such as the data it stores and processes, who has access, and where it is located.
Details such as this will be reviewed for all aspects of your business assets. The aim is to build up an overview of how your business is currently operating so that potential risks and vulnerabilities can be identified and solutions recommended to resolve these risks.
The identified risks can relate to a large range of possible issues, such as single points of failure within your business, where a backup system or secondary person with equivalent knowledge and training may be recommended.
Risks can also relate to other business aspects such as external risks to your business where a supplier goes out of business or a large client switches their provider.
Security Audit
A security audit will methodically go through the security processes and controls you have in place, and assess your layered approach to security.
Auditors will review your policies, processes, and approach to securing your business. This can include a review of your encryption standards, how your defense and monitoring systems have been set up, and how cybersecurity testing is arranged.
The audit should also review your security strategy as a whole to determine how it is concluded to be working correctly, how security flaws are raised when identified, and how the process is gradually improved over time.
The audit will often include elements of a vulnerability scan, code review, configuration review, and penetration test to ensure that the security controls you have set up are operating as intended.
A security audit can be in-depth and cover a substantial portion of your business processes. Security audits can often be done when working towards achieving different compliance standards such as ISO 27001, and so an auditor with specific experience in your targeted compliance standard can be useful to help your organization prepare.
Vulnerability scanning
A security scan is typically completed using automated tools and can focus on several different assets depending upon what is agreed to be assessed.
This could be a vulnerability scan against web applications, network devices, computer systems, cloud computing solutions, and several other assets your business may make use of. For a more detailed overview of organizing a vulnerability scan, review the following post “A Vulnerability Scan Guide“.
Some vulnerability scanning can make use of a cybersecurity testing company and penetration testers, which can be referred to as managed scanning.
The main difference is that an experienced penetration tester will review the output of the vulnerability scan, verify the results, and provide a more detailed and accurate report of the identified security flaws.
Configuration Review
A configuration review is mainly designed to provide a cyber security consultant with authenticated access to your systems, so they can assess how a specific device or system is configured against a range of industry best practice standards and identify potential vulnerabilities.
A separate category could also be considered for Code Review or Code Analysis. This assessment, grants a security assessor access to your system source code, for them to review against a set of best practice coding standards, and to identify vulnerabilities and security weaknesses within the code itself.
This type of code review is often combined with a Penetration Test, to form a Code Assisted Penetration Test, where the assessor will be able to review the code to identify vulnerabilities, and also carry out a practical assessment to determine if the vulnerability can be exploited.
Penetration Testing
Penetration testing, sometimes referred to as Ethical Hacking, is designed as a hands-on manual approach to cybersecurity testing. A penetration tester will often use a combination of automated tools themselves, in addition to following a manual penetration testing process and techniques to identify and exploit security vulnerabilities within your systems.
As a result, penetration testing will likely produce more accurate findings than a vulnerability scan with examples of exploitation methods and greater context on how the issues can impact your business, however, a penetration test will likely cost more than a vulnerability scan.
Penetration testing can focus on a wide array of different systems including applications, infrastructure, mobile, and wireless testing, and can therefore be more flexible and cover more systems and devices than automated vulnerability scanning otherwise would.
Compliance-Based Security Testing
When looking to achieve a specific compliance standard, cybersecurity testing may be a prerequisite of this standard. In this case, you are required to have a specific type of test done against a predefined set of assets.
Whereas with other security testing methods, you can determine what you want to have tested and how the approach to testing will be carried out based on your security concerns or budget, with a compliance-based security review, the requirements for the test are predefined by the compliance standard.
With a compliance-based security review, you should work with a security testing partner who is qualified to carry out the testing requirements of the compliance standard and create a report that adheres to the requirements.
These compliance reports are often combined with other documented requirements which are then submitted to a governing body of the compliance standard, which will determine if you are to be awarded a compliance certification.
Physical Security Assessment
A review against your physical security measures can be referred to as social engineering and can target multiple security aspects of your physical access controls.
The term is often used to refer to several different types of security tests, which typically involve user interaction.
- Phishing can form part of this assessment. A security tester will send emails to a list of approved targets, in an attempt to review your security policies, staff training, and inbound/outbound email restrictions.
- Smishing operates similarly to Phishing but through the use of text messages. The aim of smishing also being to assess your staff training and security policies as it will typically encourage a member of staff to send sensitive data directly to the security tester.
- Physical Security tests are primarily designed to assess the company’s security controls at physical locations and the responsiveness of staff to unknown individuals.
Tests such as this have to be planned with careful consideration, taking into account the security of your business but also the response from staff members who may be unknowingly involved in a security assessment.
Pros and Cons of A Cyber Security Test
The Benefits of Security Testing
Improve your overall security posture
A cyber security assessment will provide you with insight into your current state of security, recommending solutions to improve your security posture and further secure your business from potential threats from both external and internal sources.
Meet compliance requirements
Where you aim to adhere to a compliance standard, to provide assurance to your clients, or to qualify for additional business opportunities, a cyber security assessment is often a key part of meeting your compliance standards.
Greater peace of mind
A large number of data breaches are recorded each year, and the costs of a security incident can be high, with many businesses having to close after being impacted. Carrying out a security review can provide peace of mind that you have taken the necessary steps to proactively secure your business from potential threats.
The Negatives of Security Testing
Security Testing can be expensive
Security testing can often be expensive and depending upon the type of security testing you require, the costs can quickly escalate. This can often lead to delayed security testing or no security testing. While security testing can be costly, the compromise of an organization’s systems is typically more expensive to recover from and can result in the closure of a business.
Testing can sometimes be disruptive to business operations
Security testing can require a considered approach to arrange how it will be conducted. There can be disruption to day-to-day business operations if security testing is not planned out, as the security assessor will often need access to systems, and the testing approach can interrupt normal operations if not scheduled around planned business operations.
Vulnerability scanning can produce false positives
Some types of security testing can produce a “false-positive” in which vulnerabilities are reported that do not exist, which can sometimes be frustrating if time is wasted attempting to resolve an issue that does not exist.
Choosing the right Testing Partner
When considering a testing partner, it’s important to take a considered approach. While you may run a vulnerability scan yourself multiple times a year, for manual security reviews many companies may only carry out one test a year due to its expense and budget restrictions.
Making sure you have chosen a trusted testing partner is therefore important for your peace of mind and to avoid unnecessary expenses.
Do you have Compliance Requirements to meet?
Where you are aiming to achieve a specific compliance standard, ensuring your testing partner has the necessary qualifications as a company to complete this, and also that your assigned security tester has an experienced background working with this type of compliance standard is important to confirm.
Reviewing Example Security Testing Reports
Where you are unfamiliar with security vulnerabilities, a detailed report and follow-up calls and meetings are important to arrange, ensuring you have a full understanding of each reported finding and its context about your business.
Where your testing partner has example reports for you to review, you can ensure there is sufficient detail within these reports, described in an easily digestible manner. You can also discuss any necessary aftercare with a testing partner, to ensure there is an opportunity for follow-up calls and meetings to review the work completed.
Are Retests of Identified Vulnerabilities Included?
Depending upon the testing company, many will also offer an opportunity to retest vulnerabilities that were identified, providing you resolve the reported issues.
This allows you the opportunity to receive an updated testing report that confirms the issues have been effectively resolved or requires further work to fully address the issue.
What are the Testing Methodologies which are Followed?
An established cybersecurity testing company will likely have a documented process and methodology through which they work, ensuring that your security assessment is carried out in a standardized manner and that a detailed set of vulnerabilities is each checked for as part of this process.
If you can review methodology documents from different companies you may find that some include tests that others do not as part of their standard process, in which case you may want to request certain testing types are included.
Additionally, you may have a specific security concern with your system and request assurance that tests are in place which will address these specific concerns.
What is the cost Compared to Others?
The cost of a security testing company will inevitably become a factor when considering multiple companies. While the cheapest company does not necessarily represent the best value, the most expensive doesn’t necessarily represent the best quality.
Many factors can impact the standards of a security assessment, and in many instances, it can be very dependent upon the individual tester assigned to your project, their experience, expertise, and time within the industry all impacting the overall quality of the work conducted.
It can be the case that different testers, even working within the same company, can produce vastly different outputs.
Checks on standardized methodologies, testing processes, example reports, and confirmation of qualifications can help to limit this variation of output and ensure you work with a trusted testing partner.
How often Should you conduct a Cyber Security Test?
The frequency of cybersecurity testing can vary based on the type of testing, what you are testing, and also your business requirements and budget.
If you are going through a software development lifecycle, you will likely have regular stages where you carry out functional testing to make sure the software is working as intended.
These same stages of functional testing, represent an opportunity to carry out security testing, as it is more beneficial to make sure the product is working securely, rather than just working. Depending on the development process, these testing stages may occur weekly or monthly.
If you are conducting routine security scanning, these are often carried out monthly or quarterly to ensure security issues are not introduced into your systems over time.
Security audits and risk assessments may only need to be considered annually, which may also align with renewals of compliance certification standards.
While it is recommended to conduct some form of security testing regularly, it should also be recommended that being reactive to critical security patches that are released should always trigger a response from your business to conduct additional checks and scans outside of a set schedule.
Considerations Before a Cyber Security Test
When planning a cybersecurity test, it is important to prepare as much as possible to ensure a smooth assessment with minimal business interruptions, and also so the hired testing partner can focus on testing with minimal interruptions and you receive the best value for your investment in security.
Where you have a critical system that requires security testing, there are several recommended approaches.
Preparing Data and System Backups
The first is to ensure backups are in place before any testing begins. Regardless of how cautious a security tester is, particularly if a system has never been tested before, unexpected events can occur.
These issues could be the result of an unexpected security issue or the designed functionality of the system. Regardless of the cause, ensuring you have a full backup and can quickly and easily perform a restore is crucial for your business continuity.
Creating a Test Environment
As an additional security measure against unexpected issues occurring that impact your system functionality, creating a test environment is recommended where possible.
This can act as a duplicate of your actual system but provides the security tester with a safe environment to carry out all their tests. In the event of any unexpected event being encountered, the impacts will not extend to your actual system and won’t impact your day-to-day operations.
Setting up Access and Test Credentials
Providing access to your systems and the necessary credentials to your security tester can be a time-saving step to carry out your security assessment.
There can be many instances where your systems have specific access requirements, configuration information needs to be passed on, or several credentials need to be provided to the security testers.
Additionally, all of this access needs to be verified and tested to make sure the security tester can access what they need to complete their assessment.
Ideally, this is all communicated as part of the planning stages for the security assessment. As security testing can be expensive, having your hired security tester unable to access your system during their scheduled time, can be a costly delay.
Where you are carrying out an audit or risk assessment, ensuring you have all the necessary documentation and evidence of processes can ensure a smooth assessment.
As part of the planning and preparation stages, if not specifically told what to prepare, request a list of documents and policies the security tester intends to review so you can prepare as much as possible in advance.
During the Cyber Security Testing Phase
An ongoing security assessment may continue for a day, a week, or longer. During this time, it can be useful to ensure you are available to respond to issues and potential security flaws that arise.
Responding to Unexpected Events
It can be the case that unexpected events occur, this could be that your system shuts down, blocks access to the security tester, their credentials become locked out, or any number of unforeseen events.
Where this occurs being responsive and resolving any access issues, can ensure your testing process continues and the security tester doesn’t remain locked out, unable to complete the assessment.
Communication of the Assessment Process
Additionally, you should also expect or request updates to be provided by your cyber security testers.
As tests can continue for days or weeks, regular updates on the testing process should ideally be provided by your testing partner, so you have assurance the test is proceeding as planned, and also so you can be made aware of any critical vulnerabilities that may be identified.
After a Cyber Security Test
The primary output of any cybersecurity test will be a report. This should provide a detailed review of your current setup, risks, cyber threats identified, how those issues can impact your business, and recommendations for how to resolve these issues.
A typical security report will also provide various metrics to grade individual issues. This should provide you with a prioritized list of issues to resolve, with the most critical being your primary focus.
Depending upon your testing partner, other useful information may also be included within a cyber security testing report.
This could include a “management summary” or “executive summary”, which is a high-level, non-technical overview describing your state of security and proposing policy and process changes.
In addition to a report, your testing partner may offer follow-up calls and meetings as part of their standard security testing process.
This provides you with the opportunity to review the provided report, its findings, and recommendations and to ask the security tester for further clarity on any details within the report.
Conclusion
Planning and preparing for regular cyber security tests should form an important part of your security strategy, working to improve your overall security posture.
Different types of security testing can provide a detailed review of your current security setup and offer guidance on how to improve your approach to securing your business.
As there are thousands of recorded incidents that occur each year, it is important to take the necessary proactive steps to identify threats, secure your systems, and protect yourself.
Although cybersecurity testing can be a challenging process, particularly if you have no prior experience with organizing a test, the benefits you receive when working with a valued testing partner can outweigh the initial difficulty in planning.
Where you have any further questions regarding different cybersecurity solutions, our consultants are available to address any concerns you may have.