In the constantly changing threat environment facing critical infrastructure operations, it is not always easy to predict how well an organization’s systems would stand up to a real attack, and what the consequences could be. One way to highlight this is through pentesting (short for “penetration testing”), where an external party evaluates the organization’s security by simply attempting to break it.
Two different pentesting methods
Uncovering potential vulnerabilities in an organization requires several years of experience and a broad knowledge base. Sectra’s employees draw on many years of experience in a variety of aspects within security when carrying out pentests. Sectra uses two different methods of pentesting: Full-spectrum pentesting or simple pentesting.
Full-spectrum pentesting
Sectra’s preferred method, a full-spectrum pentest, targets the organization as a whole, with as wide scope as possible. In these tests, Sectra uses a “red team,” a team of Sectra employees that have several years of experience and extensive expertise within security. The team starts out by performing a risk assessment and threat modelling, in order to simulate a real attacker and perform realistic attacks against critical infrastructure. The test focuses on both technical aspects, such as network infrastructure or physical security, and potential weak points related to processes, procedures and employees. An organization’s protective ability as well as its ability to detect various types of security risks are included in the test. The scope of these tests makes them more complex and thorough than other traditional testing methods. They are also more exhaustive and provide more value, as their stated goal is equivalent to likely targets for attackers and thus simulates the risk scenario that is relevant for operations.
Simple pentesting
A simple pentest means that the test focuses on individual applications or limited systems that have a specific function within an operation. For example, this kind of test can exploit user rights, where the goal is to demonstrate internal vulnerabilities and how an insider could potentially damage internal networks. A similar test is also possible through comprehensive rights, where the goal is to identify even greater vulnerabilities by testing a wide range of attack vectors.