Why “Penetration Testing” is Mission Critical for any Tech Company

Many companies are dealing with large amounts of data and the significance of online security is mission critical as more data moves into the cloud. ELEMENT performs regular so-called “penetration testing” – or simply “pen tests” – to evaluate whether systems have any potential vulnerabilities.

 

Penetration Testing

 

 

In this post, we would like to walk you through five Whys and Hows of pen tests to help you with those same questions that concern every tech company. Of course, there will be other questions that you will want to consider, but we hope that these basic facts will help you get started.

 

 

A penetration test, also known as a pen test, is a simulated cyber attack against your computer system to check for exploitable vulnerabilities. In the context of web application security, penetration testing is commonly used to augment a web application firewall (WAF). Insights provided by the penetration test can be used to fine-tune your WAF security policies and patch detected vulnerabilities.

 

 

 

In this post, we would like to walk you through five Whys and Hows of pen tests to help you with those same questions that concern every tech company. Of course, there will be other questions that you will want to consider, but we hope that these basic facts will help you get started.

 

 

Penetration testing stages

 

 

“Why” bother?

The insurance industry deals with a huge amount of sensitive data. Insurers know people’s personal data, payment method details, claims history, and much more. Understandably, the sensitivity of this data requires secure storage that dramatically minimizes or completely eliminates the possibility of unauthorized access.

Pen tests help assess how secure your platform really is. To this end, you perform a controlled test in which you safely compromise a target system and ultimately steal information. This typically requires tools and techniques very similar to those that an attacker would use.

 

 

“Who” performs the test?

A very important question is, of course, who can safely carry out pen tests. You have to be very precise and do your own do-diligence who of the providers suits the needs of your company the best. Based on preliminary research, we at ELEMENT came up with a short list of potential providers and evaluated each of them according to different criteria. Such criteria include aspects such as:

  • How good are their pen testing skills? How do these skills set them apart from other providers?
  • Do they rely exclusively on automated vulnerability scanners or do they also use hands-on manual testing?
  • How well are they able to replicate real-world attacks in safe conditions?
  • What deliverables – e.g. reports, products, or upgrades – will you receive from the test?
  • Do they verify the safety and sustainability of their proposed solutions or fixes?

 

 

“When” should I perform a pen test?

The timing of pen tests depends on a variety of factors – for example, your product release cycles, availability of the resources, your market segment, etc. Nevertheless, we recommend that most organizations get some sort of security assessment on an annual basis.

 

 

“Where” are pen test providers located?

If you and your organization opt for remote testing, the location of your provider is equally important. When testers are in a different country than you, legal issues related to data provisioning and accessibility can arise. Differences in language, culture, and time zones could also make coordination and interpretation of results more difficult.

 

 

“What” type of pen test do you need? 

Network pen tests, physical security, web application security assessment, social engineering are among your options. You need to prioritize your efforts based on what makes sense for your organization. Keep in mind that the best approach may change over time as your organization matures.

 

 

“How” can you support pen testers to best satisfy your needs?

A basic first step is determining your business goals:

  • What are your high-value assets and associated targets?
  • What controls and capabilities do you want to test?
  • Who is the audience for the final report, what measures and metrics matter to them, and what impact do you want the report to have on your audience?

 

Next, you should be able to think of likely threats. Likewise, determine which of these threats the penetration testers should emulate and to what degree.

 

Then, establish manageable expectations and stay engaged. Even a well-executed pen test might cause service interruptions. In fact, a pen test will certainly cause headaches – for example, excessive security logs and alerts that require interaction with the pen testing team.

 

In this regard, establishing a channel for ongoing communication between the testing team and your organization is particularly useful. For example, we had a secure dedicated communication channel between the testing team and our developers. Careful planning and strong communication can alleviate some of these challenges and benefit both parties.

 

 

We are always happy to help our partners innovate and deliver their vision of tomorrow’s insurance. Should you have any questions about pen tests or similar technical issues, please do not hesitate to contact us at igor@element.in. We look forward to hearing from you!

 

 


 

 

Help us rethink insurance today! Be part of a company on an upward trajectory and with a mission to implement creative, innovative solutions in a challenging sector.