When evaluating cybersecurity and data protection risk for our clients, the two most fundamental questions that need to be answered are:
- How vulnerable is our organization to active cyber threats that are likely to result in significant damages and loss?
- Where should we prioritize efforts and spending to reduce our risk to a manageable level?
While there are a number of methods that Ankura uses to evaluate risk and help answer these questions, penetration testing may provide the clearest picture of how attackers could infiltrate an organization's defenses, and carry out their mission, undetected. In this article, we interview Mark Manousogianis, who leads Ankura's penetration testing services, for insight into the benefits and challenges of testing.
How would you describe penetration testing, in terms of its importance and how it differs from vulnerability assessments and other types of security testing?
Penetration testing is a crucial component of any cybersecurity program, and it is essential that the timing is chosen correctly to ensure that it is effective and provides accurate results.
Penetration testing is a type of security testing that involves evaluating the security of a system, network, or application by attempting to simulate a real-world attack by a malicious hacker. The goal of a penetration test is to identify vulnerabilities and weaknesses in the system and to provide recommendations for remediation.
There are several different types of penetration tests. These may include internal network, external network, social engineering, web application testing, mobile application testing, and even physical penetration testing.
During a penetration test, a trained tester will attempt to exploit vulnerabilities in the system using various tools and techniques. These can be conducted from various perspectives. Working with a reputable vendor to determine your goals will help determine the right type of testing and the right perspectives for each unique environment.
Penetration testing is not the same as vulnerability scanning or a security audit. Vulnerability scanning involves automated tools that scan a system for known vulnerabilities, while a security audit is a more general assessment of the security posture of a system.
When is the right time to conduct a test?
While penetration testing is an essential component of a healthy security program, it is crucial to consider the timing carefully. Factors such as environment stability, resource availability, current threat landscape, cost, and compliance requirements must be taken into account to ensure an effective and accurate penetration test that helps keep the organization secure.
Compliance requirements may dictate the timing of a penetration test. In such cases, advanced planning and budgeting can significantly help meet compliance deadlines with as little headache as possible.
For example, the Payment Card Industry Data Security Standard (PCI DSS) requires penetration testing to be conducted at least annually and after any significant changes to the environment or application. [1] The frequency of penetration testing may also depend on the organization's risk management framework, which takes into account the sensitivity of the data and the level of risk associated with the system or application being tested.
These requirements also represent standard best practices.
When considering timing, another important aspect to consider is the current threat landscape. If there has been a recent increase in attacks on a particular industry, it may be advisable to conduct a penetration test sooner rather than later. This will help identify vulnerabilities and provide an opportunity to remediate them before they are exploited by cyber attackers.
An independent third party is always a good choice when conducting a penetration test. Organizations may have internal teams who have the technical expertise to conduct a penetration test, but it is always a good idea to have a “second set of eyes” to look for things that they might have missed. Independent third parties usually do not have to navigate the internal politics of an organization the way that an internal team may have to.
Is penetration testing dangerous, and if so, in what circumstances?
If significant changes are being made to the environment, such as new hardware or software implementations, it is best to delay the penetration testing until after the changes have been fully implemented, and the environment is stable. This will ensure that the results are accurate and that the roll-out of the change is not impacted by the penetration test.
When you are recovering from a cyber attack and in the process of restoring or rebuilding your systems and data, you may be tempted to employ vulnerability assessments or penetration tests to debug your network and system configurations to confirm that they have been properly tuned and hardened, do not do it. It may sound harmless, but testing too soon could bring down your fragile infrastructure and slow recovery efforts by flooding detection systems with false attack information.
One of the most common questions we are asked by new clients is whether a penetration test can cause downtime or service interruption in the target environment. In short, maybe. It is important that proper precautions are taken and that the testing is conducted by qualified professionals who understand the risks and potential impact of their actions. Choosing a reputable vendor with a dedicated penetration testing team will help minimize the risk.
What should IT and security teams do to help ensure that they are prepared to support penetration testing?
Resource availability is an essential factor to consider in preparing for a penetration test. It is crucial to ensure that all the necessary personnel and resources, including IT staff, security personnel, and other stakeholders, are available to properly conduct the test. Aligning everyone's calendars may be challenging, but it is crucial to have all involved parties on the same page to make the process of scoping, kicking off, and creating a remediation plan more manageable.
It is also important to budget appropriately for penetration testing, which should include both the cost of testing as well as the effort needed to remediate any discovered vulnerabilities. Penetration testing can be an expensive undertaking, and the size and complexity of the test will determine the level of effort required, which directly translates to the cost.
When considering the cost, if prior vulnerability assessment and penetration testing reports are sitting on a shelf, unread, and gathering dust, determine whether your team’s efforts would be better spent on evaluating the urgency of the previously reported issues and resolving those that present the greatest risk.
The media is always covering new cybersecurity attacks, and virtually every organization has experienced one themselves, so why is it that some organizations do not take immediate action when testing reveals serious flaws in their security?
Penetration testers share some of the blame when they do not take the time to consider how best to communicate key findings to have the greatest impact on their audience. Sometimes penetration test reports do not properly articulate the risk and impact of discovered vulnerabilities. A screenshot of a terminal with a bunch of data in it does not always convey the severity of a finding to a non-technical audience. It is important to create a narrative that includes the potential impact of each finding.
There are also findings that may be considered high risk by vulnerability scanners but are not necessarily exploitable, and therefore, have little to no real-life impact on the target environment. On the other hand, other vulnerabilities, such as a readable file share, may be considered a medium risk by a vulnerability scanner. On the surface, this may be a fair rating, but if that file share contains a file full of cleartext credentials, it could be a far higher risk than the vulnerability scanner assigned. Because of this, it is important that penetration testers create custom risk ratings based on their actual finding and includes a narrative to explain the risk rating. This will help prioritize remediation efforts and therefore make the entire exercise far more valuable.
[1] https://listings.pcisecuritystandards.org/documents/Penetration-Testing-Guidance-v1_1.pdf, see page 6.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
