Nettitude Blog

This may seem like a strange article for Nettitude to publish, on the basis that we are an award winning cyber security company focusing on penetration testing. We absolutely believe that penetration testing does have value when implemented and oriented properly. However, we frequently see organizations that have been executing penetration testing programs that have really missed this mark. This article discusses the top five failings of pen testing programs we have seen executed across industry.

For far too long, penetration testing has been focused on delivering assurance on organizations defensive capabilities. Organizations have initiated penetration testing exercises against internal and external network segments, against applications and databases, and in almost all instances the focus has been to identify vulnerabilities in defenses that can be exploited. Pen testers would assess the firewall build and identify weaknesses in its configuration. They would also assess web applications and identify vulnerable code and configuration. Pen testers assess databases, network shares and other security devices in the hope of identifying vulnerabilities that could be leveraged by an attacker.

The cyber landscape is maturing at a startling velocity. An industry that barely existed 20 years ago is now projected to be worth $170 billion by 2020. As the amount of technical development has snowballed, so the need for security assurance has become a board level consideration. Assurance practices have had to evolve to remain in touch with the digital transformation that is occurring around us. Assurance has had to develop to reflect both the changes in the ways we engage with technology, whilst also staying abreast of the evolving threat landscape. Organizations that remain static in their assurance process will become increasingly vulnerable.  For organizations to build effective risk management processes, they must become agile, threat lead, and focus on people, process and technology collectively.

Penetration testing is nothing new to the cyber security world.  For many years, organizations have been going out and testing their web applications, assessing their internal networks, and identifying vulnerabilities in their mobile apps. Penetration testing companies have been delivering assurance about the security posture of defensive controls providing guidance on whether the firewall rulebase needs to be updated, if the patching policy is effective, or whether the application code that powers your web infrastructure is free from vulnerability.

The Internet is evolving at an ever-increasing velocity.  With more internet connected devices being brought online, and always on services being delivered by Wifi hotspots and 4G, the average person is typically connected 24/7. 

In less than ten days there have been two major announcements which demonstrate that the UK really is at the leading edge when it comes to dealing with the evolving cyber threat landscape. The UK Government has launched the Cyber Essentials scheme to increase basic levels of cyber hygiene within small and medium sized enterprises. This program will allow organisations to measure their levels of data security within an industry recognised framework.  It is designed to provide confidence to customers, investors, suppliers and insurers that organisations have basic technical controls in place to mitigate against the risk of a data breach. This proactive approach from the UK government is designed to raise cyber up the agenda for organisations and firmly place UK PLC on the information security map.

It would seem that there is no data and no organisation that is safe from a security breach in 2014.

Here at Nettitude, we have been delivering penetration tests for clients for more than a decade.  Over the last 10 years we have really seen the industry mature. Many organisations understand what penetration testing is, and as a consequence it has become an integral part of many organisations information security program. However, more often than not, organisations ask us to focus on the technical aspects of a penetration test, and ignore the social aspects. In many instances, we are told that ‘management’ don’t want to look at social engineering, and as a consequence, can we provide services that focus on the technology only?

Nettitude were strongly represented at the AKJ Associates PCI London event at the Victoria Plaza Hotel on Thursday 24^th January 2013. The PCI event allowed Nettitude to exhibit some new services such as our Forensic capabilities and incident response as well as showcasing our P2PE QSA accreditation.