Penetration testing is nothing new to the cyber security world. For many years, organizations have been going out and testing their web applications, assessing their internal networks, and identifying vulnerabilities in their mobile apps. Penetration testing companies have been delivering assurance about the security posture of defensive controls providing guidance on whether the firewall rulebase needs to be updated, if the patching policy is effective, or whether the application code that powers your web infrastructure is free from vulnerability.
Penetration testing can add huge amount of value to an organization’s vulnerability management program. Despite this, we repeatedly see a number of common threads that are missing from many Penetration testing engagements. Here are the top five things that Nettitude thinks penetration testing providers should be focusing on.
1 ) They don’t help you understand the real risk
We often see penetration test reports that are entrenched in deep technical language. Phraseology such as CSRF, Reflective XSS, SQLi and insecure hash functions are all terms that the average pen tester fully understands. However when it comes to communicating with the risk managers, project owners or with the board it is essential that the conversation evolves. We actively encourage conversations at these levels to talk about the threat, the likelihood of compromise and the real risk to the organization. Red teaming exercises can help address these concerns. By understanding what the most sensitive assets or information is to your organization, red teaming exercises can help simulate realistic threats, to determine whether it is safe for you to sleep at night.
2) They don’t help you determine whether you would see an attack
Penetration tests are typically conducted against a defined scope, whether that be a location, a subnet or a specific type of application. They are used to deliver assurance on whether an organization’s defences are robust, or whether there are any vulnerabilities that could be exploited by an attacker. Penetration tests rarely help an organization understand whether they could detect an attack. Instead, many organizations simply assume that they will be able to detect an attack because they have made an investment in a detection or response product. We think this might not be the smartest move. In the same way that you deliver assurance across your defensive posture, we believe penetration tests should be used to deliver assurance that the detection and response functions as well. We can help with detection and response assessments, SOC maturity assessments and purple teaming initiatives, all of which are designed to help you determine whether you would be able to detect a varying array of attacks.
3) They don’t assess your clients, despite them being the things that are most frequently targeted
How many times have you had a penetration test that focused on the server estate, the database layer, or the application layer? When did you last conduct an assurance activity against the clients in your estate? Many people recognize that one of the weakest links in the cyber security chain is the human being. It is the person that downloads the malicious file, clicks on the link, or opens the macro enabled document. Despite the fact that humans are often the most targeted entry point in to your environment, too many penetration tests simply ignore them! A common route for an attacker to take is to target the individual, escalate their system privileges, pivot through the network and then attempt to access the core system asset. Pen testers need to get wise to this, and provide guidance on all aspects of this kill chain.
4) They don’t help you secure your process
The cyber security industry talks about cyber including people, process and technology. So why is it that most penetration tests focus purely on technology? They should also be delivering assurance around people and process.
Many organizations now have security awareness training for their employees and deliver phishing campaigns so as to drive awareness amongst their employees. However, it is less common for organizations to be focusing on or assuring the processes that take place within their organizations. Many of the sophisticated attacks leverage weaknesses in process, and barely exploit a vulnerability in sight! For example, if organizations have configuration guides, policy documents, process or how-to guides sitting around on network shares, an attacker can abuse these documents to gain inner knowledge of your systems and your processes. If your unsecured source code is sitting on internal data repositories, don’t be surprised if an attacker abuses this, to conduct a more sophisticated attack, without leaving any logs or messages in their wake. The moral is – try to understand the processes that interact with your critical assets. Conduct assessments to understand what intelligence you have lying around in insecure data stores that could be used to gain a foothold by an attacker. Use your penetration testing engagement to test to see whether these processes are accessible and can be leveraged to gain access to your key data assets.
5) They don’t help you determine whether your defences are aligned with the most likely threat
Often organizations go out and build security infrastructures and undertake penetration tests without having a clear understanding of what they are trying to protect, and who they are trying to protect it from. There is an assumption that the external threat comes from ‘hackers’ and these nefarious groups of people will try to come in through the front door. The reality is that there are a lot of different types of threats all with a varying degree of sophistication, motivation and resources available to them. A nation state is likely to be both sophisticated and stealthy. An organized crime group is likely to be interested in monetizing their attack. Ransomware, such as WannaCry tends to be less targeted and might be described as a disorganized crime threat. A hacktivist group is likely to want to make a lot of noise so as to promote their idea or their cause. By understanding the threat profile that is most likely to be targeting you, (or eliminating the ones that are least likely) organizations can build stronger security strategies, and more robust penetration testing and assurance programs.
Why Nettitude is not like most penetration testers
Nettitude can help your company’s security strategy by providing a comprehensive and thorough penetration testing service that best suits your company’s needs. We use a threat intelligence led approach to make sure you see real world results. Additionally, Nettitude offers state of the art 24/7 detection and response services ranging from comprehensive monitoring to a managed Security Operations Center.
Keep your business safe. Contact us today for a free consultation with one of our security experts.