March 2019 - Fractional CISO

“Yes, but…”

That is the right answer 95% of the time. Almost every organization needs a penetration test or pen test. Organizations with mature security programs don’t need to ask the question. They already know the answer based on their program and plan.

Organizations that are asking that question are operating from the right mindset. They should be thinking about what they need to do to improve the cybersecurity of their organization. With the right resources, companies can mitigate risk. If they do it smartly then they can mitigate the risk with a high return on investment.

What Is a Pen Test?

A penetration test or pen test involves skilled professionals going in and messing around with the system to see what they can break, and where they can enter and steal.

Many firms call these professionals “ethical hackers” – some call them “white hat” security professionals. The idea of the penetration test is that these individuals perform a comprehensive analysis of the network through trying to hack their way into a system, not to damage or destroy or hurt users, but so that the company can improve its cybersecurity practices and eliminate vulnerabilities.

How does a Pen Test differ from a vulnerability test or vulnerability scanning?

Think of the penetration test as a vulnerability test that has someone sitting in the captain’s chair.

A pen test uses a trained human to attack an infrastructure or system. A vulnerability test is an automated scan of that system. It checks ports and versions to determine if there are weaknesses in the system. It does not try to actually exploit the vulnerabilities to compromise the solution. A vulnerability test gives the owners of the system a report.

Human oversight is really essential in many kinds of cybersecurity. We have all sorts of sophisticated tools that can help humans to spot dangerous network behavior. There are tools that seal down endpoints or deal with social hacking such as spear phishing or spoofing. But without some engaged human operation, these tools are only robotic sentries. Outside malicious parties can easily fool these tools.

Pen Test Cost

A pen test cost is usually measured in tens of thousands of dollars. (I have not seen a good one for less than $25,000.) A vulnerability scan for organizations with hundreds of devices is typically in the single digit thousands of dollars.

Why are penetration tests so expensive? Because they are state-of-the-art ways to protect network systems. When ethical hackers or white hat professionals take the time to engage password cracking systems, attack APIs, or build a honeypot spear phishing system (and then follow through), they are investing in active front-line cybersecurity work that will close loopholes and tighten security for a company’s digital assets. Hiring expert security personnel to focus solely on your systems for a period of time is expensive!

Pen Test Process

A penetration test typically involves the following:

Planning. Defining goals for the test and gathering intelligence.
Scanning. Evaluate weak points and organizational response to scans.
Gaining access. Method to gain entry into system which may involve social engineering, phishing, dropping USB drives in your parking lot, adding rogue wireless access points, exploiting Internet exposed vulnerabilities or physically compromising your offices.
Controlling a resource. Method for maintaining control of a node or resource in the system/network.
Analysis and reporting. Evaluating what can be done to improve the organization’s security posture.

All of these can be essential in figuring out how to mitigate risk and avoid data theft or other cybersecurity breaches.

But I Think I Really Need a Pen Test!

Organizations should always be looking for the most cost-effective security controls. A pen test is a control that should be performed later in an organization’s security maturity journey.

Organizations that don’t have basic security building blocks in place should focus on those first. These building blocks are comprised of an inventory of what is on their network, and a regular patching process for systems and applications. These basics also include strong user management, closing ports and limiting protocols and services on their network. If organizations have deficiencies with these types of security controls, a pen test is a really expensive way to find out.

CIS 20 view on Pen Tests

CIS 20 Security Controls with Pen Test at #20

The Center for Internet Security (CIS) has a good framework for prioritizing which controls to focus on. In the CIS 20 controls, Penetration Tests and Red Team Exercises is number 20 on their list. There are a number of things to put in place beforehand that are much more cost-effective. Inventory and control of hardware assets and continuous vulnerability management are great foundational principles. Firewalls and account controls and malware prevention systems are all effective ways to thin an attack surface or prevent intrusions, and so the penetration test may come later in the game.

(Note: We like the CIS 20 controls but believe that it does not properly emphasize the importance of user training at 17. Tricking a user to click on a link is easy for many attackers. Training users to be more security-aware can significantly reduce the number of possible events in an organization.)

Pen Test vs. other security controls

Pen tests are performed periodically. When you harden systems and networks, you see the benefits every day. Training users to be more security-aware can significantly reduce the number of possible events in an organization. That’s what’s behind a lot of penetration tests. The human penetration tester uses digital coordination tools to find out where the weakest points are. They then report back to the company, which will invest in that specific type of user education that will keep employees or other users from inadvertently giving away the store to hackers.

When you shrink the attack service down, hackers will have a more difficult time obtaining a foothold. When you address social engineering problems, hackers find that dealing with an already alert and aware user base is to some extent an exercise in futility.

Pen Test or Cybersecurity Plan?

When we are brought into a new organization, we will perform a risk assessment and then create a cybersecurity plan based on that risk assessment. In many cases, the pen test will be part of the plan. However, it is rare that the pen test is the first item on the list. Often organizations have many other higher priority cybersecurity projects to work on.

To Recap

Here’s the bottom line – while a penetration test is not the first or the only thing you need to do in cybersecurity, it’s often vital to the company’s success in protecting data and systems. We will figure out what specific types of penetration testing are needed and work with the client to proceed accordingly. Having a customized plan in place saves time and money and makes sure that the penetration testing that happens is targeted to the company’s actual needs.

If you would like help with your cybersecurity strategy or program, give Fractional CISO a call for a complimentary consultation. We can be reached at (617) 658- 3276 or by email at [email protected].

Monthly Archives: March 2019