This may seem like a strange article for Nettitude to publish, on the basis that we are an award winning cyber security company focusing on penetration testing. We absolutely believe that penetration testing does have value when implemented and oriented properly. However, we frequently see organizations that have been executing penetration testing programs that have really missed this mark. This article discusses the top five failings of pen testing programs we have seen executed across industry.
Pen testing as a one-off exercise
Many organizations approach penetration testing as a one off activity. They conduct the test, read the report, and then rest comfortably, safe in the knowledge that they have conducted a test. The challenge with this approach is cyber security is hugely dynamic. This dynamism is measured day-to-day, not month-to-month or year-to-year. One off pen tests that were conducted 12 months or more ago, rarely act as an indicator as to the exploitable vulnerabilities that face an organization today.
Often led by regulatory requirements or compliance frameworks, many organizations conduct penetration tests because they feel they are obliged to, as opposed to conducting an assessment to help manage their cyber risk.
Many cyber security frameworks require penetration tests to be conducted annually, and they focus more heavily towards internal and external assessments that focus on technology. Judging from the number of unique CVE numbers issued by the MITRE organization in 2016, we can see that there are more than 1,000 new technology centric vulnerabilities being identified every single month. As a consequence, an annual penetration testing cycle is almost certain going to be out of date by the time the next assessment comes around. Organizations need to understand this, and either implement more frequent test cycles, or move to an ongoing vulnerability management programme that leverages continuous vulnerability scanning.
Too much focus on arguing vulnerability rating. Not enough focus on risk management
Many organizations conduct penetration tests in the hope that they will confirm that they are secure. When deviations from this expectation occur, it is not uncommon for individuals to try to downplay vulnerabilities and try to change or influence ratings that have been allocated.
Pen testing companies need to have a good understanding of risk management. They need to have the ability to talk in terms of vulnerability, threat, likelihood and impact. Often because reports lack this context, buyers of services become frustrated and feel that vulnerability ratings present an inaccurate picture of the organizations cyber security posture. An SQL in injection vulnerability may have a high vulnerability score. However the likelihood if it being triggered in a front facing public web form is very different to it existing in a tightly controlled administrative panel that is only accessed with two factor authentication. Penetration testing companies need to find a better way of articulating the risk to organizations, by talking about threat, impact and likelihood as well as providing a stronger narrative on what the real risk is.
Often oriented towards the wrong assets
Penetration tests are often oriented at the wrong assets. Organizations often embark on a journey that follows a maturity curve. They first start by looking at external networks, they then move on to looking at applications and then they potentially look at internal networks. Organizations then move to assess people through social engineering based assessments. Most organizations conduct very little penetration testing to simulate threat and again very few organizations focus on identifying vulnerabilities in process or vulnerabilities in detection and response capability.
There is wide recognition across the industry that cyber does not equal technology. Cyber encompasses people, process and technology. If your pen testing program only focuses on technology, then we might argue that you are only conducting assurance against 33% of the likely attack surface.
Almost always focus on defense, there is little narrative around detection or response
Most organizations conduct penetration tests to identify vulnerabilities in their defenses. They use pen tests to identify weaknesses in the firewall build, the web application code, or the security architecture design and implementation. The focus has historically been on helping organizations to defend more effectively and there has been almost no focus on helping them detect or respond to attacks.
Detecting a cyber-attack is no easy task. Implementing detection technology across key vantage points in the estate is a start, however it requires well trained people to respond to events, and a robust set of processes to be implemented, before an organization would be able to state that they have a robust detection and response strategy. How many organizations have harnessed the people, process, technology aspects of detection together? In Nettitude’s experience it is a relatively small number. Of those that have built or contracted security operations center functions, how many of them conduct assurance assessments to valid the effectiveness of their detection and response capability? The number is even smaller. As an industry we recognize that there is more data being created every hour of every day, and consequently building a 100% focused cyber security strategy that is only oriented towards defense will ultimately fail. We need to be looking at how we detect more effectively, and we need to deliver assurance activities against these detection capabilities so as to improve and enhance are likelihood of detecting a cyber-attack.
Too much focus on tech, without considering people and process
Many organizations focus too heavily on pen testing their technology, and provide marginal focus on testing their people and almost no focus on testing their process.
In today’s current threat climate, we are now seeing more and more threats targeting people and process, as the easiest way in to an organization. If they target web applications or firewalls, the likelihood of some form of alert being generated is reasonably high. However, if they target people either through social media, public WIFI, phishing emails or social engineering, the chances of detection are often much lower. If an attacker can compromise a user, and then exploit vulnerabilities in the internal processes, they will often be able to achieve their objective without exploiting a single technical vulnerability in sight.
Organizations need to start evolving their assurance programs outside of technology. They need to start delivering penetration testing services that focus on technology, process and people.
What Nettitude can do for your business
Nettitude is a leading penetration testing company, delivering services globally for some of the most sophisticated organizations. We provide advice and guidance on how to build assurance programs, and we deliver assurance programs that range from vulnerability analysis to penetration testing, red teaming and simulated targeted attack and response assessments.
Contact us today for a consultation with one of our expert security consultants.