Regular stress and penetration testing, also known as "wargaming," is used to assess the potential business impact of cyberattacks. In this short article we look at the crucial role these testing plays in technology-driven industries, and where other industries can and must benefit from the lessons they have learned.
First, let’s take a quick look at where this kind of testing is used and why it’s so important:
"Netflix, for example, as a ‘high-value target,’ performs this type of testing up to almost 1,000 times per week. This allows the company to react very quickly to identify and close gaps in the affected areas. This minimizes the risk that the company’s vulnerabilities will be made public before you have a chance to fix them."
"Facebook confirmed in April 2019 that more than 540 million records showed up in plain sight after accidentally being posted publicly as plain text on Amazon’s cloud computing servers. Then in September, despite Facebook’s announcement that it was making security improvements by restricting access to data, 419 million records, including unique Facebook IDs and phone numbers, were found to be unprotected by any password at all. This latest incident increases the risk of spam calls and SIM-swapping attacks on users’ smartphones − a tactic that relies on tricking cell carriers to transfer phone numbers to a hacker."
"Capital One: In its marketing campaigns, the banking and credit card giant Capital One asks its customers, ‘What’s in your wallet?’ Now tens of millions of those customers have questions of their own surrounding just how much of their personal information was made available to and distributed by a hacker who used to work for Amazon. Considered one of the largest financial institution hacks in history, Capital One admits that social security numbers, banking transactions, and balances, credit scores, and addresses were stolen. Credit card numbers, however, were apparently not compromised, according to the company."
These tests help companies to identify the gaps in their systems, and serve as a basis for improvement measures. This in turn is used to review or − if necessary − change existing policies and the technologies used, and can also have an impact on the individual roles and responsibilities of the team responsible.
Penetration tests (often known as pen tests) are a special type of stress testing used to evaluate a company’s security infrastructure. They work by simulating realistic attack scenarios and vulnerabilities, both technical and non-technical.
What other industries can take advantage of penetration testing?
Such tests can also be used by insurers, for example, in the proposal phase, as a digital equivalent of the analog (paper) proposal form. In this process, potential buyers of insurance are traditionally taken through a series of questions representing the rating criteria.
The answers of the "applicant" are the used to define the risk profile of the future insured. This then is precisely the information the insurer needs to set the pricing parameters and eventually give a quote for an insurance policy.
So at the end of the day, both risk assessment and pricing is in principle based on the information the insured shares with the company via the proposal form. If this proposal process is now replaced by a pen test, both of these, i.e. risk profile and pricing, will be based on the information the test yields. Since this information can be expected to be far more accurate, we also obtain a direct validation of the pricing parameters.
In addition to this, the results of the pen test will give a clear indication of where investments in the internal IT structure can have an immediate risk-mitigating impact, thus potentially reducing the premium charged. The frequency and characteristics of pen testing vary widely from organization to organization. Experience shows that the frequency ranges from once a year (the main driver here is certification) up to more than 100 times a year.
Pen tests can be the digital equivalent of the ongoing risk reviews that are common practice in corporate insurance, usually conducted in the form of regular risk inspections or other on-site visits by the insurer’s risk engineers.
How often do you need to do pen testing?
The number of penetration tests carried out can vary greatly, and there’s no such thing as an optimum. The determining factors can include the industry sector and geographic regions the company operates in, the size and importance of the company, and − very importantly − the amount and type of information that is processed.
Global companies operating in vulnerable industries or highly regulated markets (such as payment processing and anything to do with banking, debit/credit card, and insurance data) need to perform penetration tests more frequently than a regionally based manufacturing company with limited external exposure.
How does pen testing work in practice?
Synpulse works with selected ecosystem partners to perform these tests for clients in the banking, insurance, and healthcare industries. The tests can be performed at the customer’s site or remotely depending on the availability of the required environment (approach, tools, methodology, etc.).
The process is supported by a proven procedure model, starting with a health check to assess the current situation, and continuing with the creation of the relevant stress & penetration test cases, tool-supported execution, and the final report and further recommendations for action.