The Blog

Beyond Penetration Testing – 7 Steps to a Security Testing Strategy

Posted by Sam Clarke and Scott Summers on 17/05/2017

IT security testing is not just about checking that you can break in via a website vulnerability such as SQL injection. To prevent an IT security attack, security testing needs to be wider than penetration testing and should cover wider aspects of security. The good news is that it’s not as hard as you might think to make your systems more secure through a broad security testing strategy. Follow these seven steps to reduce the risk of a security breach.

Security Testing Strategy.jpg

1. Do you have an Organisation wide Security policy and associated processes and procedures? If so have you tested that they can be effectively implemented and are operational? Often policies are bypassed due to impossible or impractical constraints.

2. Do you lock the front door? A recent survey commissioned by HM Government shows that most breaches have come through email.

“The most common types of breaches are related to staff receiving fraudulent emails (in 72% of cases where firms identified a breach or attack).”

USB, CD/DVD drives together with use of employees own devices are still cause for concern.
Have you tested your email filtering, staff instructions, and reporting procedures?
Established user acceptance test techniques can help test this area.

3. Is your infrastructure up to date with all security patches? Inventory and configuration should be managed and regularly audited and identified risks mitigated. For example, if a Windows XP device is required for an existing application, mitigation may be to ensure the device is completely isolated from the internet and internal LANS. It is much easier to track your inventory as it grows and changes rather than trying to retrospectively audit your estate so my advice if you don’t have inventory management in place is to start now. Also, don’t forget all those cloned development and test machines which may not have the latest security patches applied. It would be ironic, and extremely embarrassing, if the security testing PCs were the entry point for a ransomware attack.

4. Is data correctly classified such that sensitive data can only accessible by authorised employees, is transferred and stored securely? This can be easily tested using audit techniques and paper based exercises.

5. Are your applications and hardware estate safe from the known vulnerabilities? Security testing of applications for the most common attacks vectors is a vital part of the Software Development Lifecycle. It is equally important to do regular security and penetration tests once a system is operational, especially in a DevOps world where changes are being constantly and frequently applied.

6. Do you know what to do if an attack happens and will it work? How is an attack escalated to management, how is it communicated to employees, users, external bodies and the press? Established user acceptance test techniques and rehearsals can help test this area.

7. They are in and data is compromised, encrypted, held to ransom or destroyed! Disaster recovery planning should cover security breaches as well as physical disasters. Disaster recovery testing is vital to give confidence to the business that recovery is possible even in extreme events. My experience over the years as a home user, and a corporate user of IT is “test those backups”. The last thing you want find in a disaster is that the backups are damaged or won’t restore for whatever reason”.

In conclusion, you can have as many policies processes and procedures as you like, but if they are not verified by testing then you are still exposed to risk. To quote from the Care Quality Commission report on “Safe data, safe care”

“….to prioritise the safety and confidentiality of personal data, and ensure that the security of data systems is proactively and regularly tested. Having the right policies in place is not enough – policies must be tested…….”

Testing is an integral part of IT security processes and should cover verification of your:
  •  Policies and processes and procedures
  •  Perimeter
  •  Response to attack processes
  •  Infrastructure
  •  Application
  •  Recovery processes
  •  Disaster recovery

You can never prevent everything but having a verified and tested security strategy will reduce the risk of serious impact to the business whilst raising confidence and giving valuable information about your security strengths and weaknesses.

Blended attacks are becoming more common, requiring a fully integrated response.

Oh, and don’t keep your only backup drive connected - ironic if your data backup was ransomed as well!

To learn more about our security testing services visit the services page on the nFocus website here. Alternatively you can contact us to speak to one of our team at info@nfocus.co.uk or call us 0370 242 6235.

References:

  • Cyber Security Breaches Survey 2017 – Department for Culture Media &Sport
  • Safe Data Safe Care - Care Quality Commission 2016

Topics: Software Testing, Security Testing Strategy

nFocus Blog

Welcome to the nFocus software testing blog. As thought leaders and technical innovators, we created this blog to distil our thoughts, ideas and musings on improving software quality.

Fill out the form below to receive future communications from nFocus including our latest:

  • Blog articles
  • White Papers
  • and plenty more!

Subscribe to Email Updates