Penetration Testing vs DDoS Testing

John Baldock

We all recognise that testing your IT infrastructure is paramount to keeping your systems secure, and we always discuss this with all of our customers.  However, when we start to talk about DDoS testing we are often met with the view that conducting pen testing is enough.  This lead me to write this blog explaining the two methods of testing, how they differ and where they fit in your network security arsenal.

Penetration Testing (Pen Testing)

Pen Testing is a series of tests carried out in an attempt to find your vulnerabilities, penetrate your network, and gain access to the secrets within.

There are many types and levels of pen testing that can be carried out – for example, network perimeter testing aims to use externally facing systems to gain access to internal networks and confidential material. According to a survey by Positive Technologies in 2018, 92% of tested companies were found to have been breached on the network perimeter and access gained to LAN resources, with the main problem being vulnerabilities in web application code and poor protection of web resources.

Why does it seem so easy to break down so many companies’ defences? Well, it is extremely difficult to protect a complex network, according to Cloud Security Alliance, organizations with less than 1000 employees use an average of 22 custom applications and larger corporations using as many as 750 – that’s 750 applications to keep up to date and secure as well as running efficiently within the business.  Of these applications, over a third will likely be externally facing, and some will be customised and also entwined together with networks and other applications. It is a mammoth task to keep complex IT systems working and secure.

However, all an external attacker needs to do is review the externally facing resources and look for a way in. And one exploited vulnerability might be enough.

Due to the dynamic nature of business, companies will often change their systems and expand their networks for a variety of reasons. Each time a change takes place, the risk of a vulnerability appearing increases. Therefore, pen testing is definitely not something you should just do once and consider that to be the end of the affair!

Read our web page for more information on pen testing.

DDoS Testing

While it is not uncommon for ‘DDoS’ and ‘data breach’ terms to be seen together, they are very different threats. DDoS attacks should not be treated the same as attacks where unauthorised access has been gained.  A DDoS attack is a mechanism to bring services down and to impact business, and a data breach is aimed at accessing personal data and accessing private resources.

DDoS testing is the simulation of a DDoS attack (usually a layer 4 or layer 7) to discover how susceptible your network is and how easy it would be to affect service availability.

DDoS testing should certainly be considered as part of your IT security testing and IT budget, and the priority you ascribe to it may well depends on your business type – an online retailer may feel DDoS attacks have a larger impact on them, while a medical company may feel more at risk of having their sensitive data exploited.

DDoS tests can be highly customised to attack against certain protocols and traffic types, designed to fit the needs of the target; with that in mind, it is important to test against new threat risks that have been introduced into a changing environment.

Read our web page for more information on DDoS testing.

Or download one of our white papers on DDoS testing.

The Best of Both Worlds

Today, these attacks should not be considered in isolation.  Many DDoS attacks are used as distraction techniques or to disable a device or service to allow unauthorised access to facilitate another type of attack.

It may not be practical to actually combine both tests, as this would require significant co-ordination and could cause serious disruption. This doesn’t mean that either should be avoided; rather they should be done separately.  The frequency and depth of the tests would depend on your specific needs.

Following The Rules

Do not make the mistake of simply following regulations – cyber criminals and attack types evolve far quicker than the regulations that are put in place as guidelines for businesses to follow. Instead, consider your own business needs and the necessity to assess the risk of how costly an attack could be. A pen test and a DDoS test are going to teach you something, that is guaranteed.

In Conclusion

Regular DDoS testing and pen testing should be an integral part of any medium and enterprise organizations’ IT security strategy.  With the number and sophistication of threats increasing dramatically each year, organizations cannot afford to ignore the valuable information on the security profile of your network that good testing can provide.

Testing will prepare your organization, its processes and your staff for how to react to both DDoS attacks and exploitation attempts.

To find out more about how we can help you with both Pen Testing and DDoS Testing contact us or call us on 0845 925 6025.