Ethical Hacking, Penetration Testing or Red Team Engagement
Whether you are within the technology industry or just looking for an experienced IT provider, you have most likely come across the terms ‘Penetration Test’ (also known as ‘Pen Test’ or ‘Pen Testing’), ‘Ethical Hacking’, and ‘Red Team Engagement’ (‘Red Teaming’).
As a Managed IT Service Provider, we have seen these terms being used simultaneously, when in fact, they have separate meanings and uses. How many times have you seen these terms intertwined?
When looking for a security assessment, you are either looking at a ‘Penetration Test’ or what is called a ‘Red Team Engagement’ Assessment. A ‘Pen Test’ is generally a lot more focused than a ‘Red Team Engagement’ assessment, therefore, the duration will vary depending on what is being tested.
It is best to have an idea of these things before you begin your research.
Now, let’s go more in-depth as to what different types of assessments there are, how they work, and what they cover.
Ethical Hacking
For those that are not aware, Ethical Hacking was used between 1990-2000 as a broader term for identifying vulnerabilities within a network, along with White Hat hacking (not to be confused with Black Hat hacking).
During the 1990s–2000s, security was not as well established as it is today, therefore it was difficult to identify what Ethical Hacking covered and how it was governed. Therefore, it ultimately received a bad reputation and there remains a lot of hidden stigma around it.
Again, ‘Ethical Hacking’ isn’t a term that’s used as much in this day and age, so it’s best not to include it in your research when looking for a vulnerability assessment of your business’s cyber security.
Penetration Testing
Penetration Testing is currently widely used when referring to a security vulnerability assessment and is primarily focused on penetrating an organisation’s defensive systems. A penetration test can also be used to find any vulnerabilities and weaknesses on a particular focus product/application before “sign-off”. This will normally last between 2-14 days with a singular report at the end and should always be considered a point-in-time assessment of security.
Those conducting a penetration test can be running tests on both internal & external network infrastructures and systems as well as wireless network infrastructure and against mobile and mobile applications, to identify any:
- Potential exploitable flaws and vulnerabilities
- Configuration weaknesses that introduce security risk
- Identify unpatched software
- Validate technical controls and countermeasures
If security flaws are identified, the tester will often provide remediation advice to resolve or implement appropriate controls/processes to ensure that security systems are effective and comply with a range of data and privacy regulations. Such as EU GDPR (General Data Protection Regulation), DPA (Data Protection Act) 2018, and PCI DSS (Payment Card Industry Data Security Standard).
Red Team Engagement
Unlike a penetration test, a red team engagement assessment is a larger-scale security assessment across the entire organisation to reduce the risk from cyber threats. Red team engagements are typically not bound by a traditional or focused scope, meaning that there are no restrictions as to what can be looked at within security systems and the business. This can include analysing systems, applications, software, employee engagement, physical security, and learning how they interact with each other.
Red team engagements blend various skills used by attackers to perform a security assessment, including but not limited to full exploitation, vulnerability chaining and social engineering.
To ensure that the security assessment is under the right conditions, those conducting the test will act how a cybercriminal would, and people within the organisation will know as little as possible beforehand. Except for those in the organisation that will need to approve it of course.
This is to make sure there is no interference with the security assessment and that the reports are accurate as possible.
Depending on the length of the assessment, a detailed report will be provided regularly throughout and at the end of the assessment. Below is a handful of topics which the report will cover:
- Types of attacks undertaken and their successfulness – did existing systems and controls detect and respond to attacks (e.g. Did users report Phishing attacks)
- Details of compromised systems, data, at the initial kick-off High-Value Targets (HTV) are often set, if any of these HVTs are compromised these will be reported
- Indicators of compromise, sometimes red team testing will uncover previous compromises.
Due to the scope and what is involved with a ‘Red Team Engagement’ assessment, the process can typically last several months or longer.
Are Penetration Tests and Red Team Engagement Assessments Important?
To round things off, both ‘Red Team Engagement’ assessments and ‘Penetration Testing’ are important when assessing your security set-up, however, both cover different scope levels and hold a different time duration.
Remember, you are offering insight into your network and possible sensitive data, therefore, ensure your research is thorough to guarantee that your data is protected and is only used for the assessment.
Most companies that offer ‘Pen Testing’ and ‘Red Team Engagement’ assessments could have one of the following qualifications:
- CREST certification
- CREST STAR – ‘Simulated Target Attack & Response’ (Red Teaming)
- PCI DSS penetration testing – for the Payment Card Industry (PCI)
- Certified Ethical Hacker (CEH) program – provided by the EC-Council (International Council of E-Commerce Consultants
While these qualifications are useful when looking for a security assessment provider, they shouldn’t be a deciding factor. A service provider that has the relevant knowledge base and has earned your trust will be able to deliver the security assessment that’s required.
We, AirIT, can offer both ‘Penetration Testing’ and ‘Red Team Engagement’ assessment to help your business improve its security posture and reduce security risks within your organisation. To find out more, call +44 345 565 1953 or email consult@silverbug.it.