News / Penetration Testing adapts to the new normal
Written by Alex Miller, Penetration Tester
During lockdown IT teams across the UK have been working extremely hard to support businesses, enabling
them to transform and continue to serve the public in these uncertain times. From online supermarket Ocado
adjusting to their 10 fold increase in demand to all the office-based businesses moving office equipment to
allow staff to work from home. It is undeniable that there have been monumental and unprecedented changes
to IT infrastructure in the last few weeks.
This is putting many Business Continuity Plans to the test as changes are made in remarkably short time
frames. With change management processes notorious for being sluggish, this raises the question of potential
compromises been made to information security in an effort to increase business agility?
As a penetration tester I think – how can I join this effort and what can my skills bring to the table? For me it
falls into three categories:
1) What might an attacker be thinking?
Particularly on a changing network it’s important to get a broad perspective on your infrastructure from an
offensive security team. Ultimately this gives a great overview of your potentially changing attack surface and
outlines where attacks are most likely. Combined with comprehensive recommendations for blue teamers, this
is the first step to understanding your security posture and securing any changes made.
2) The risk of testing remains the same
While all testing comes with some risks, risk is a choice and most importantly there is risk associated with not
testing. While the impact of issues during testing may be felt more during the current crisis, the impact of not
having applications tested remains the same; infrastructure may be running with vulnerabilities, particularly if
changes are being made quicker than usual and this risk should be measured, documented and remediated.
3) Penetration Testing is adapting too
As IT managers have adapted to bring about required business changes, so have penetration testing teams.
Using more manual scanning techniques and testing we are also equipped to do our jobs during these times in
a way that applications are not put under further unnecessary strain. Furthermore, remote internal testing can
be set up within a matter of days without compromising social distancing requirements using a variety of
Offensive teams are adapting too during these uncertain times and can play a role ensuring all IT infrastructure
is secure and protected. It is still as important as ever to continue to have applications and networks tested to
prevent opportunistic attackers from preying on the current crisis. With an increased focus on low bandwidth
testing and comprehensive recommendations during reporting, penetration testing can too adapt to the
Alex has a background in mathematics which lends itself to the analytical and critical thinking skills required in penetration testing. As a CREST Registered Tester, Alex has experience delivering a wide range of penetration tests.