Call us on 03450 21 21 51

SRM Solutions
The SRM Blog

Pen testing: seeing both the wood and the trees

Share this article

If recent well-documented breaches tell us anything it is that even organisations with large budgets and skilled cyber security teams can miss something. In spite of their best efforts, data breaches have occurred in some very high-profile organisations in recent months; damaging their system security, exposing their customers’ data and with it their reputations. This is not because they are not doing their level best to safeguard data. Far from it. It is likely that every ounce of available resource was put into developing and maintaining their online security, knowing how precious it is to the future of their business. So how is it that hackers continue to outsmart these highly resourced teams?

The problem is not with the teams’ experience or depth of knowledge but often with their level of familiarity. The phrase ‘can’t see the wood for the trees’ applies here: sometimes those who are deeply involved in the detail of a project can’t step back and see the bigger picture.

Resident teams may have developed the website from scratch and know every detail of its functionality. They may have been working diligently for some time on safeguarding data and developing defences in line with regulations and reported attack trends. As soon as attacks are reported, patches are brought out and defensive strategies are employed. But what happens when a hacker or blogger devotes some specific attention to the site?  Will they find the one flaw in the emergency change; the one time that input validation was not addressed; the one coding flaw that the designers, too familiar with the code, overlooked?

A fresh pair of eyes, on the other hand, is not hampered by familiarity. An experienced and highly skilled penetration tester will not think like a defender, but rather thinks like an attacker. They don’t focus on where the forest fires have already started but on how and where they could be ignited. They use a synergy of automated tools and manual testing to identify potential vulnerabilities and investigate, explore and develop these in such a way that a high proportion of vulnerabilities can be anticipated and patched before a hacker discovers them. This is because our consultants can put themselves into the mind-set of a motivated hacker by identifying, investigating, exploring and exploiting potentially vulnerable areas so that defences can be put in place before a breach occurs.

A qualified and experienced pen tester also has the advantage of not only seeing your system in its entirety, but of seeing many other systems and many other vulnerabilities. To continue the metaphor: their view extends beyond one specific forest, taking in a bird’s eye view of the many miles of trees and forests belonging to other organisations. From this vantage point they not only see the attack trends as they develop but can anticipate the location of future forest fires.

If a breach does occur, however, evidence of a robust testing programme will mitigate the level of fines imposed by regulatory authorities under GDPR. Furthermore, engaging a Retained Forensics service (working as part of the test and exercise team) provides an organisation with effective and swift mitigation strategies, thereby minimising the potential impact of a suspected or actual attack.

To find out more about SRM’s Test and Exercise team visit our website.

To receive notification of other blogs relating to issues in the world of information security, follow us on Linkedin.

Or read more from our blog:

Cyber insurance may be null and void with ‘due care’

Retained Forensic & Incident Response Service: how planning for the worst can add value to your business

Three stages to building a robust defence against external threats

What is Red Team engagement?