How penetration tests find security flaws

Testing the internal security of a company is not a new concept.

But with the evolution of artificial intelligence coupled with changing workplaces in a post-COVID world, digital and physical penetration testing has become more important than ever.

When sourcing a security expert for physical security penetration tests, it’s important to ensure the client understands the difference between penetration tests and threat risk assessments.

“When we do a threat risk assessment, we will look at threats broken down by categories: human-induced threats that could include things like criminality, terrorism, protest activity; infrastructure, which could be power failures, water disruptions, things of that nature; and environmental factors such as snowstorms, floods, natural disasters, earthquakes and hurricanes,” explains Brian Claman, president and managing director, Brian Claman & Associates.

“So, when you do a threat risk assessment, you bring together the various stakeholders, and you, as a consultant, walk them through these different things and ask them, ‘What keeps you up at night? What are the things that you’re worried about?’”

These assessments differ greatly from physical security penetration tests, says Andrew Kirsch, founder and CEO of Toronto-based Kirsch Group. “The pen test is where you have no information or insight in advance — or a very limited amount,” he says. “And you are testing all those things that they say are the right policies, processes, security, infrastructure, and testing how they work without any advanced knowledge of it.”

When companies believe they have robust policies and infrastructure in place, that’s a good time to recommend a penetration test to ensure everything is working effectively in a real-world simulation involving a threat actor attempting to gain access. And if something breaks down, they are able to identify the vulnerabilities.

“Often, we partner with the cybersecurity side, so there’ll be a logical security pen test, which is kind of the IT and network side, and then we do the physical side. Where there’s overlap on information security, can we get access to these sensitive areas, sensitive information, documents, passes, all of those things that the attacker would be interested in? And what are the controls? Where do we get stopped and run into one or two risks?” Kirsch says.

While companies may not perform threat risk assessments every year, which are more involved processes, they can do a pen test to see how things are going and keep people on their toes the same way companies do phishing exams and other cyber pen tests to keep their organization sharp. Asking clients the right questions before starting the tests is a key part of ensuring their effectiveness.

“What are you really interested in here? What are you trying to test? Can people get in? Okay, great. But what are the sensitive areas that you want to see if people can get into? Are you testing the locations that have the sensitive information?” Kirsch says.

While any company that has a protection program could benefit from penetration testing, Claman says the most obvious ones that come to mind are shopping malls, office towers, critical infrastructure, tourism venues, or where there’s critical assets housed.

“As a practitioner for over 40 years in this industry, I would say nine times out of 10, people don’t even consider penetration testing. They think they’re doing the right things, until something happens, then they find out they’re not,” he says. “There are too many false assumptions. A threat risk assessment, followed by penetration tests, can help wake people up.”

A changing workplace

Before the COVID-19 pandemic, working from home and hybrid working opportunities were not commonplace. But in a post-COVID world, many employers are reaping the cost benefits of having small office footprints, while employees are enjoying a better work-life balance with the opportunity to work from home.

But this environment can create new security risks. Kirsch says that employee situational awareness is most likely degrading from this new workplace model.

“I think that there are opportunities — and attackers probably see opportunities — to leverage the fact that we are so transient now that we don’t have these regular schedules, and that people are not familiar with their co-workers,” he says. “Maybe it’s not unusual to see a strange face or not know who everybody is. And I think, that way, we’re lowering our guard a bit.”

As workplaces change to adapt and evolve, companies need to review their security protocols and know if they are still effective.

Going on the offensive

Companies around the world are constantly bombarded with digital threats and the rise of AI has made these threats even more prevalent.

While many IT teams like to use the term “digital penetration testing,” Clément Cruchet, technical team lead for security testing and offensive security at Bell, prefers the term “offensive security.”

“The idea is to have a holistic view of all the potential exploitation paths threat actors can take to compromise an organization or gain access to data. So, it’s offensive security including ethical hacking,” he says.

In addition to offering on-site penetration testing, Cruchet and his team test all kinds of digital threats from the simplest applications to network intrusion. This also includes red team engagement for weeks or months, as well as social engineering and malware development. Having a solid physical security program is also an important aspect of a company’s digital security, he adds.

“You can have a firewall. You can have everything on network perimeter security well configured, but if your front door or your building is just open to anyone, then anyone can go on site and place a malicious device,” Cruchet says.

And while companies may have high security for entering an area such as a server room, their overall defences are sometimes not as tight as they might think they are. This is where physical testing can be of vital importance for digital security programs.

“You think a lot about the physical security in a data centre or unauthorized people trying to enter the server room. But sometimes there is just an exposed Ethernet port on the wall just before the server room, for example,” Cruchet says. “Sometimes an intruder can cause a lot of damage without entering the most secure server room.”

With the availability of AI, threats have changed significantly over the past few years, forcing security and IT teams to adapt quickly. Cruchet says the scope has really expanded for attackers to gain access to, or leak, sensitive data. He adds that the human factor has changed significantly over the past 10 years, and needs to be part of security testing protocols.

“We see this in a lot of security incidents, whether it is email phishing, whether it is multi-factor authentication, or USB units that get sent to an employee. So, the human factor is very important,” he says.

Companies need to ensure their security solutions, which represent a multi-million-dollar investment, are working properly, and that there are no blind spots or gaps. This is where penetration testing can pay dividends.

“Security, most of the time, is a cost. So, we need to find a way to find the balance between investing some money within that to protect the business and to protect our assets,” Cruchet says. “You need to do a pen test every year or every six months. It depends on the compliance and on what you’re trying to protect.”

A multi-pronged approach

For organizations to optimize their security, Claman says the key is to have every person and approach working in unison.

“We can’t look at penetration testing or threat risk assessments in a silo — it has to be holistic in nature. It has to be one of multiple components necessary to achieve the desired level of protection,” he says.

Penetration tests are vital because they test and validate assumptions, Claman adds.

“If you’ve ever watched a fine chef, and they’re making the sauce, they’re always testing it. They’re always tasting it throughout the process, because they think they’ve got it right. But that’s the penetration test. It’s the same thing with security. We don’t do it enough. We don’t do threat risk assessments, and then we don’t do the penetration tests. And we layer security on an organization without an overarching strategy. All these things have to interface,” Claman says.