As a cybersecurity leader, you’re responsible for a ton of moving parts in an evolving ecosystem. The operation and growth of your business is on the line.
With cyber threats continuing to advance, it has become a common phrase in the industry to say, “It’s not if you get hacked, it’s when.”
While this adage sounds dramatic, it is becoming increasingly common to see stories about corporate data breaches, ransomware attacks, and critical infrastructure incidents. All of these illustrate the point: you must find the weaknesses in your layered defense strategy before your adversaries do.
Penetration testing is one way to do just that.
Penetration testing (“pen testing”) is a practice that simulates threat actors targeting your environment. This practical approach to security testing combines automated and manual techniques to determine and demonstrate the impact of any potential gaps in your security strategy.
While vulnerability scanning programs and routine risk assessments are examples of good cyber hygiene, pen testing can unveil weaknesses that aren’t normally picked up through proactive programs. A good pen tester will look holistically at your environment to exploit weaknesses between your security controls. These are the exact types of weaknesses a real-world attacker often relies on.
With that said, not all penetration tests (or testers) are created equal. In this article, we’ll explore some subjects and key points to consider that will help you to discern between highly effective pen tests and not-so-effective pen tests.
A good pen test relies on assessors with strong foundational knowledge in various technical competencies and experience across a wide array of systems, technologies, industries, and tools. Often, these testers may have previous experience in network/system administration, programming, and development, and/or security operations, prior to moving into the offensive security field. Knowing what constitutes “good” system architecture means understanding what makes an environment weak, and how to exploit it.
A successful pen test should result in a detailed report that outlines the weaknesses and vulnerabilities discovered in your environment and the "kill chains" used to link them. These kill chains demonstrate the stages of an attack from start to finish, and the goal will ultimately depend on the attackers' motivations, whether that be encrypting and/or selling your data for profit, stealing your trade secrets, or bringing awareness to a cause. A well-described kill chain will detail the findings noted at each link of the chain. More importantly, each of these findings will include thorough recommendations on what your next steps should be to increase the overall security posture of your infrastructure, policies, and systems.
Depending on the maturity of your security program, and the nature of the specific test, these reports can include a wealth of information to help you understand where and how to focus remediation efforts. For organizations undergoing their first pen test, the data contained in these reports can sometimes be overwhelming. A good testing partner will walk you through the results at your level and can help tailor recommendations to the specific capabilities and limitations of your organization.
Finally, because pen tests are point-in-time assessments, and conditions within your environment can change rapidly, even the best pen test can only ever offer a snapshot of your current security posture. Rather than considering these projects to be one-and-done engagements, they should instead be integrated into your overall security program. It’s best practice that this testing is performed at least annually, and after any significant environmental changes.
To achieve unbiased results from a pen test, it’s recommended that you work with a third party to conduct your security testing. Here are a few things to consider when evaluating potential pen test vendors:
Like the last section, let’s explore some of the aspects that separate great testers from the rest of their peers.
A penetration test can be viewed as a one-time snapshot of your system, used to analyze and understand your organization’s overall security posture at a specific point-in-time. However, the industry’s best leaders are treating these exercises like an operationalized practice, integrating them into their security framework and proactive risk management policies on a consistent and repeated basis.
Their outputs and recommendations should supplement your other security activities, helping to measure the real-world effectiveness of your controls and guiding the next steps of your security journey.
Interested in learning more, one on one, with a pen test professional? We're always happy to chat.