“Yes, but…”
That is the right answer 95%
of the time. Almost every organization needs a penetration test or pen test.
Organizations with mature security programs don’t need to ask the question.
They already know the answer based on their program and plan.
Organizations that are asking that question are operating from the right mindset. They should be thinking about what they need to do to improve the cybersecurity of their organization. With the right resources, companies can mitigate risk. If they do it smartly then they can mitigate the risk with a high return on investment.
What Is a Pen Test?
A penetration test or pen test involves
skilled professionals going in and messing around with the system to see what
they can break, and where they can enter and steal.
Many firms call these professionals “ethical hackers” – some call them “white hat” security professionals. The idea of the penetration test is that these individuals perform a comprehensive analysis of the network through trying to hack their way into a system, not to damage or destroy or hurt users, but so that the company can improve its cybersecurity practices and eliminate vulnerabilities.
How does a Pen Test differ from a vulnerability test or vulnerability scanning?
Think of the penetration test as a
vulnerability test that has someone sitting in the captain’s chair.
A pen test uses a trained
human to attack an infrastructure or system. A vulnerability test is an
automated scan of that system. It checks ports and versions to determine if
there are weaknesses in the system. It does not try to actually exploit the
vulnerabilities to compromise the solution. A vulnerability test gives the
owners of the system a report.
Human oversight is really essential in many kinds of cybersecurity. We have all sorts of sophisticated tools that can help humans to spot dangerous network behavior. There are tools that seal down endpoints or deal with social hacking such as spear phishing or spoofing. But without some engaged human operation, these tools are only robotic sentries. Outside malicious parties can easily fool these tools.
Pen Test Cost
A pen test cost is usually
measured in tens of thousands of dollars. (I have not seen a good one for less
than $25,000.) A vulnerability scan for organizations with hundreds of devices
is typically in the single digit thousands of dollars.
Why are penetration tests so expensive? Because they are state-of-the-art ways to protect network systems. When ethical hackers or white hat professionals take the time to engage password cracking systems, attack APIs, or build a honeypot spear phishing system (and then follow through), they are investing in active front-line cybersecurity work that will close loopholes and tighten security for a company’s digital assets. Hiring expert security personnel to focus solely on your systems for a period of time is expensive!
Pen Test Process
A penetration test typically involves the following:
Planning. Defining goals for the test
and gathering intelligence. Scanning. Evaluate weak points and
organizational response to scans. Gaining access. Method to gain entry
into system which may involve social engineering, phishing, dropping USB drives
in your parking lot, adding rogue wireless access points, exploiting Internet
exposed vulnerabilities or physically compromising your offices. Controlling a resource. Method for
maintaining control of a node or resource in the system/network. Analysis and reporting. Evaluating what
can be done to improve the organization’s security posture.
All of these can be
essential in figuring out how to mitigate risk and avoid data theft or other
cybersecurity breaches.
But I Think I Really Need a Pen Test!
Organizations should always
be looking for the most cost-effective security controls. A pen test is a
control that should be performed later in an organization’s security maturity
journey.
Organizations that don’t have basic security building blocks in place should focus on those first. These building blocks are comprised of an inventory of what is on their network, and a regular patching process for systems and applications. These basics also include strong user management, closing ports and limiting protocols and services on their network. If organizations have deficiencies with these types of security controls, a pen test is a really expensive way to find out.
CIS 20 view on Pen Tests
CIS 20 Security Controls with Pen Test at #20
The Center
for Internet Security (CIS) has a
good framework for prioritizing which controls to focus on. In the CIS 20
controls, Penetration Tests and Red Team Exercises is number 20 on their list.
There are a number of things to put in place beforehand that are much more
cost-effective. Inventory and control of
hardware assets and continuous vulnerability management are great foundational
principles. Firewalls and account controls and malware prevention systems are
all effective ways to thin an attack surface or prevent intrusions, and so the
penetration test may come later in the game.
(Note: We like the CIS 20
controls but believe that it does not properly emphasize the importance of user
training at 17. Tricking a user to click on a link is easy for many attackers.
Training users to be more security-aware can significantly reduce the number of
possible events in an organization.)
Pen Test vs. other security controls
Pen tests are performed periodically. When you harden systems and networks, you see the benefits every day. Training users to be more security-aware can significantly reduce the number of possible events in an organization. That’s what’s behind a lot of penetration tests. The human penetration tester uses digital coordination tools to find out where the weakest points are. They then report back to the company, which will invest in that specific type of user education that will keep employees or other users from inadvertently giving away the store to hackers.
When you shrink the attack service down,
hackers will have a more difficult time obtaining a foothold. When you address
social engineering problems, hackers find that dealing with an already alert
and aware user base is to some extent an exercise in futility.
Pen Test or Cybersecurity Plan?
When we are brought into a new organization, we will perform a risk assessment and then create a cybersecurity plan based on that risk assessment. In many cases, the pen test will be part of the plan. However, it is rare that the pen test is the first item on the list. Often organizations have many other higher priority cybersecurity projects to work on.
To Recap
Here’s the bottom line – while a penetration
test is not the first or the only thing you need to do in cybersecurity, it’s
often vital to the company’s success in protecting data and systems. We will
figure out what specific types of penetration testing are needed and work with
the client to proceed accordingly. Having a customized plan in place saves time
and money and makes sure that the penetration testing that happens is targeted
to the company’s actual needs.
If you would like
help with your cybersecurity strategy or program, give Fractional
CISO a call for a complimentary
consultation. We can be reached at (617) 658- 3276 or by email at [email protected] .