Since 2013 do you know how many data has been lost or stolen?
Source: (http://breachlevelindex.com/)
9,053,156,308 records
Let’s break it down by frequency-
Per Day– 5,191,030 records
Per Hour– 216,293 records
Per minute– 3,605 records
Per Second– 60 records
Scary right?
It’s alarming to see the number of attacks that keep increasing every year and what makes it worse is that the biggest giants in the industry getting hit. The question is, who is at fault? The security team, the board or an employee within the organisation?
Now we don’t want to play the blame game, it’s time for all businesses, big, medium or small to start looking into the mirror and do a review of their own security infrastructure.
Cybercriminals are only going to increase. They target the easy ones with the simple tools and then use more sophisticated networks through zero days and advanced persistent threats to attack government bodies, private international, national or local businesses across the globe.
One of the biggest challenges an organisation faces in Information Security is determining how secure you currently are versus your risk profile, your security policy requirements and best practices. Penetration Testing is an extremely valuable tool in helping you determine your current security posture by safely identifying and trying to exploit vulnerabilities in your infrastructure or applications. Penetration testing helps eliminate any false positives as to the exploitability or impact of vulnerabilities. The following scenarios help you identify reasons why you need to conduct a penetration test for your business.
Is there a lot of breach activity in your sector or has your competitor been hit?
Breaches in your sector may be a good early indicator that you might be vulnerable. Firstly, it points to possible targeted activity in your sector. Cybercriminals, hackers as we know, have lots of success through targeting organisations and sectors. Patterns of a breach in your sector usually mean that they have template approaches and toolsets for successfully attacking that sector. Hackers, Cyber criminals also have specific motivations, financial return or brand damage of a particular organisation or sector. Again breach patterns in your sector may point to your sector coming into their sights for some particular reason. Success builds success and copycats. If a hacker or cybercriminal have had success in a sector, then that particular hacker or organisation may look to repeat that success on other victims in the sector or they will usually have no shortage of copycats. If you have had the luxury of seeing your competition suffer from breaches, then it might be an opportune time to quickly assess how vulnerable your organisation might be and use the time to fix before you become another breach casualty in the sector.
You have a nagging doubt that you truly know the up to date security posture of your high and medium risk systems:
The misconception of a lot of business is that they think they are safe or know their security posture because they did a pen-test last year. Too often people only get a penetration test to meet compliance or financial audit requirements. What they fail to realise is so much can happen in months, weeks and even days. The reality is that in a very dynamic threat landscape driven by strong motivation and success on the part of the cybercriminals and hackers, ad hoc and infrequent penetration testing means you are leaving yourself effectively blind to potentially preventable risks. A system or application that appeared secure 12 months ago may now be at significant risk due to new vulnerabilities that have been discovered or configuration changes that may have been made on that system or in supporting security infrastructure in the intervening period. Regular Penetration Testing is required to get an up to date picture of your security posture. Best practice recommends penetration testing higher risk production systems more often and lower risk systems at a potentially lower frequency. Best practice would also recommend penetration testing systems that have gone through change before releasing that change to production. Organisations are often reluctant to penetration test regularly because of cost or disruption. Whilst there is no one size fits all answer, it is important to build a granular approach to testing rather than a monolithic approach, i.e. penetration test specific high risk systems more frequently, penetration test changed or new systems before release, perform round-robin penetration testing on lower risk systems that might mean they are assessed at a lower frequency than the higher risk systems, penetration test the whole perimeter etc. This more granular approach ensures pragmatic, affordable testing that provides full coverage of your systems, but focuses the effort based on clearly identified risks and potential impact to the business. If you can’t say with confidence that you know the security status of your IT estate is reasonably up to date as you would like then it most likely means that you are not performing enough penetration tests.
You think penetration testing is a pain? This shows you or your team in a bad light or you only do it because auditor or customer asks you to.
Roll back 10 years, lots of people in the industry were questioning the value of penetration testing and whether it needed to be conducted at all. We had next-generation firewalls, heuristic anti-malware technologies, integrated security suites from the perimeter the endpoint, evolving threat intelligence security solutions that were offering bulletproof preventative security. So where did that get us? The threat landscape and rapid growth in everything from cyber criminality, data breaches, extortion in the last 10 years in Information Security has proven that preventative security infrastructure cannot make up for basic information security hygiene practices, an appropriate strategy that mixes identification, protection, detection and recovery/response capabilities coupled with a layered security. One of the key tools from the identification phase to help understand your security posture and to know where to deploy your resources is security testing with an appropriate mix of audit, penetration testing and vulnerability testing. Vulnerability testing is useful but on its own doesn’t provide the full picture of your security posture. A business identifies their security holes through a pen test which a vulnerability scan cannot pick up. For eg; leaving an admin portal with default credentials open to the general internet. Penetration testing leaves no doubt as to whether a vulnerability is exploitable and what the potential impact might be. Penetration testing is a growth industry once more. Organisations that gain the most value from penetration testing do a number of things well:
- They embrace penetration testing as a positive tool – they want the tests conducted regularly and comprehensively so that they can measure their posture, understand what they are doing well and where they need to improve.
- They are very clear on their testing strategy, frequency, scope and their goals for the testing.
- They cooperate with the penetration testing organisation, they are hungry for the outputs from the test and quickly work on prioritised remediation.
- They continuously improve by embracing the learnings from the output so that they don’t repeat the mistakes of the past
- They have an appropriate mix of audit and testing ranging from risk assessment, penetration testing, vulnerability scanning (and management) to social engineering tests, ensuring they have appropriate coverage.
- They take a risk-based approach rather than a compliance-only approach.The thing about pen-test is that there is a human behind this kind of tests that goes through a detailed scan and creates an analysis report. The human factor identifies the gaps manually and exploits them creating a report on where and how exactly you need to prioritize your vulnerability.
You are about to deploy a new service or solution or migrate to a new service.
Implementation of a new solution, upgrade or migration to a new service are very busy and stressful times for businesses and in particular for IT teams. IT resources are focused on meeting user acceptance criteria, deadlines and go live dates. What often gets lost or left until the last minute is verification that the system is, in fact, secure, meet your policy or compliance standard or is implemented to best security practice. Organisations often go live and then schedule a penetration test during production – which is pretty reckless. Other organisation test but leave it to a point where they have no time between to conduct the penetration test and then go live without fixing any of the issues. They are then left with an unenviable dilemma of “Do we go live now and fix later or postpone?” These approaches typically point to a bigger organisational problem – the absence of any sort of controlled secure systems development lifecycle (SSDLC) or methodology. If security testing is an afterthought then it usually means that security requirements probably weren’t properly specified at requirements stage, security design wasn’t designed in at the design stage, therefore an ad hoc build that may encompass some ad hoc security is possibly what was implemented or built. This leave the enviable problem at test/verification stage – what is the penetration tester testing against? – What policy, what requirements? Quite often in our experience of this scenario, you are left testing against industry best practices and some sort of retrospective risk analysis and retrospective security requirements. All of this points to a chaotic approach to security which doesn’t bode well for the particular project or the organisation risk management and Information Security generally. Making security part of you SDLC – i.e. having an SSDLC means a much more effective, much less chaotic and costly approach to security. You identify your security requirements up front, the project has security baked in from the start. It is crystal clear to the business stakeholder the developers, implementers and support organisations what security is required, the project does not get past each gated stage until functional and security requirements are met. The penetration tester has very clear objectives in terms of their testing. Apart from making the project and organisation more secure, it reduces costs. The IT industry is well aware of the costs of bug fixing (security issues are non-conformance to specification and thus a security “bug”) in implementation is 6 times costlier than fixing during design and 15 times costlier if found during the testing phase.
Your infrastructure or application managed service provider had a guy who is pretty handy at penetration testing, he did your last one as part of their service to you.
Security audit and penetration testing is a key part of your overall Information Security Governance. Letting Joe the vendor support guy who happens to have read “Penetration testing for Dummies” penetration test your systems is the equivalent of letting your office supplies delivery guy wire your data center because he has an interest in electrics. Letting providers of your service audit or test your IT services, applications or infrastructure is riddled with conflicts of interest. Are they really going to point out in their test report what a poor job they might have been doing in keeping your systems patched, the configurations of the systems they are responsible for, or properly managing your firewall rulebase and risk, breach the SLA or lose the contract? Do they really have the expertise to conduct the test to the levels required? Will they do it to agreed penetration testing protocols? Whilst their report might be something that you can show to non-expert financial or compliance auditors who might only be interested in ticking the box that a penetration test has been completed, is their report something that you can credibly show to knowledgeable customers that would demonstrate competence, completeness, expertise, and experience or even a professional approach to Information Security? Is it even something that your organisations or the provider’s professional indemnity and crime insurances would cover? If you are serious about Information Security, then you get penetration testing conducted by non-conflicted professional penetration testing organisations. Look for the expertise, experience, and accreditation of the organisation and its testers. Look at their approach. Request sample reports, Discuss testing scope and approach with them:
- Is it a risk-based approach?
- Will there be specific, measurable, achievable, timely recommendations in the test report?
- Will the provider do full knowledge transfer of the findings and recommendations to your staff or suppliers?
- Is it grey box, white box or black box testing?
- Are they testing infrastructure or applications or both?
- What is the testing window and protocol?
- Will you need a re-test after your remediation work?
- Do you need the consent of third parties to test and if their consent isn’t given or is very restricted then what might this mean?
The penetration testing organisation you decided to go with was half the price of all the other organisation who provided proposals.
True penetration testing requires expertise, experience, real people, an appropriate amount of time, effort, tools and a very methodical approach. All of this does not come cheap. You know the saying “you pay peanuts you get monkeys”. Also in a lot of cases “you pay peanuts you get vulnerability scanning dressed up as a penetration testing”. Remember the objective of penetration testing is to identify vulnerabilities and to determine the exploitability of these vulnerabilities and their impact on your organisation. A vulnerability scan can be conducted in minutes using off the shelf or open source tools. Vulnerability scanning has its value to an organisation – however it is only part of penetration testing. Too many supposed penetration testing organisations ask a security analyst to cast their eyes over an automated vulnerability scan report make some recommendations and then re-label this report a penetration test. In truth this isn’t a penetration test – it’s a souped-up Vulnerability Scan and it’s the reason why that organisations “penetration test” is a fraction of the price of professional penetration testing organisation who go to the bother of spending the time ethically trying to exploit the vulnerabilities to determine the probability of exploit and the impact on your organisation. So like all consumers, if you got something that was priced at a level that was too good to be true, then most likely you didn’t get what you paid for and doesn’t provide the level of security visibility that you required. I would respectfully suggest that you take your money elsewhere and get a proper penetration test so that you know what your true posture is.
Penetration testing is a key tool in your armoury of verification of your security posture. Use this tool often and well and your organisation will benefit in terms of better security. Use well-established penetration testing organisation with real penetration testing expertise and experience to get the best value for your organisation. Embrace the experience positively and your security can only improve continuously as a result. Beware of penetration testing provided by conflicting or non-expert parties. Be very suspicious of providers and supplier who resist penetration testing.
Here’s our download on penetration testing, if you would like to speak to any one of our penetration experts in Ireland or Northern Ireland, contact: grainne@ward.ie and we’ll be in touch with you shortly.