The Penetration Testing Landscape in 2023
Penetration Testing has existed for over half a century. Ethical hackers have embraced the task to ensure that computer systems remain secure from threat actors trying to compromise them. The focus at the time of its conception was safety of information as computers gained the ability to share information across communication lines, which could be breached, resulting in data stolen or systems being shut down.
In 1967, more than 15,000 computer security, government and business personnel converged at the Joint Computer Conference to discuss the issues, led by Willis Ware, around communication lines being penetrated – giving birth to the one of the most commonly used terms in the industry today. Such was Ware’s status in the field that the US government commissioned him to chair a committee to examine and report on the feasibility of security controls within computer systems. This led to the production of the Ware Report in 1970, but was only declassified for general publication in 1979. The report outlined security problems and proposed policy and technical considerations which established the benchmark we adhere to today around sound security principles.
“Tiger Teams” formed and undertook penetration testing to assess whether systems could be breached and vulnerabilities found in and across networks, hardware and software.
Practices evolved over the following decades – from identifying a vulnerability first, then designing an attack approach on it, to identifying weaknesses in the attack approach to neutralise the threat.
Numerous tools have been introduced into the ethical hacking world over the years to aid a Penetration tester in their efforts and providing the end client with as much insight into their attack surface and value from the service as possible.
The need for Penetration testing has become more varied and wide ranging in the past decade too. Key motives for undertaking a test, or series of tests include:
Assess and address potential risks – by having this information, businesses can prioritise operational tasks to ensure business growth and scale without risk of compromising effort and investment in current and future plans.
Verify compliance: businesses can determine compliance with industry regulations, legal requirements, and security standards, ensuring that security measures align with relevant frameworks.
Improve incident response: A Penetration test can reveal weaknesses in an internal incident response plan by testing its effectiveness, thereby providing the business with a thorough plan, with clear roles and responsibilities, to deal with any future attacks.
Validate investments and cyber insurance: Technology is one of the highest investment areas when businesses are looking to scale. It can be the strongest asset or, if not protected, the greatest risk. Similarly, cyber insurance policy premiums are rising exponentially for many due to the inability of the insured to demonstrate that reasonable endeavours are being taken to protect their digital environments – increasingly rendering them uninsurable. Penetration testing helps validate whether these technology investments, backed by supporting insurance policies, are providing the desired level of protection for the business. It assists in identifying any gaps or misconfigurations that may render ineffective investments made in security solutions.
The need for skilled security professionals has never been greater. Similarly, the need to accelerate efforts and provide organisations of all shapes and sizes with key answers to burning questions around their susceptibility to an attack and what their key risks are, has never been greater.
With many approaches to Penetration testing readily adopted using the same processes which were deployed decades ago, business works too fast to cope with the long scope, schedule, delivery and reporting times many consultancies still run their practices by. There is an increasing number of approaches which are grouping all the staple tooling utilised for Penetration testing into one place, where efforts are accelerated to deliver outcomes and actions in a fraction of the time compared to traditional manual efforts, without any compromise on the validity of reporting.
Regardless of your experience of Penetration testing, if you are looking to understand how Penetration testing is now delivered in the modern day, where scope is defined by IP range rather than day rate, and outputs are provided in hours rather than weeks, reach out to the Amicis team at hello@amicisgroup.co.uk . Or alternatively book a call here with our team to discuss your requirements further.