Information security is very complex. As information security and risk governance practitioners our main tasks are to protect the confidentiality, integrity, and availability of data and systems. Some of us are even protecting lives. The responsibilities that we have on our shoulders can be daunting and even stressful at times. Threat actors never sleep, and every time we come up with a mitigation, they find another way around it. Having the right people, processes and technologies in place can help us to sleep a little better at night. But how do we know if those controls will be up to the task when the rubber meets the road?
Penetration testing, also known as pentesting is the best way to ensure that our controls and teams are working as they should be. A pentest is an exercise where cybersecurity professionals known as ethical hackers will find vulnerabilities in an organization, and then exploit those vulnerabilities in order to gain access and attempt to exfiltrate data. This is all legit and legal of course, because they are hired and given specific consent to do so by the organization’s leadership. Leadership of the organization determines the scope and sets the boundaries regarding what fair game and what is off limits to the hackers. Here are my top six recommendations when deciding to do a penetration test.
- Vulnerability Scans
The purpose of a vulnerability scan is to find known vulnerabilities in your network or cloud environment. Once you find them it is important to work with your internal teams to fix or “patch” those vulnerabilities. A good pentest will start with some sort of a vulnerability scan. But the next step is what makes it a pentest. This is where the pentesters will actively exploit the discovered vulnerabilities and use their skills to discover the damages that a malicious attacker, and sometimes even a malicious insider, can do if they get inside your network.
- A Pentest is not a compliance checkbox
Well, in most cases it actually is a compliance checkbox, but my point here is that organizations shouldn’t look at a pentest as just a compliance checkbox. If you do, you are doing a disservice to your company’s overall security posture. Pentesting provides a great value. It shows the business how an attacker can compromise them, and the potential damages that can be done if that happens.
- No judgement.
This isn’t meant to be a report card, and it’s not meant to criticize anyone. It’s there to help your organization to become more resilient and more prepared for a compromise, breach, insider threat, or any other kind of attack that might come your way. When going into a new pentesting engagement. Go into it with an open mind. When they deliver their findings report, and they will find issues, utilize your Risk Management Program, (you have one of those, right?) and identify your organization’s best options to mitigate the risks associated with those findings. If done correctly, a quality pentest will make your organization more secure in the long run.
- Which box?
There are mostly three different types of pentests, Black-box, Grey-box, and White-box.
- Black-box is when the organization provides no information to the pentester. They just say. “Hack us and tell us what you find”.
- Grey-box is when some low-level information is provided to the pentesters. For example, the pentester may be provided with a company laptop that has all the programs and tools that a non-privileged employee would have. They may also be given a network map and list of software that the company uses.
- White-box is when the pentester is granted privileged access rights similar to an admin. They may also be granted access to source code repositories.
So which one should you chose? The answer really depends on what the company is trying to accomplish. You may think that a black-box pentest is more realistic because you wouldn’t willingly hand over any information to adversaries, so it would seem logical for pentesters to start from the same starting point.
But I would argue against that logic. You are hiring security professionals to exploit your organization’s vulnerabilities to see what they can find before the bad guys get to it. These hired professionals are working on an extremely limited time and scope whereas the bad guys don’t have those restraints. They have unlimited time and resources. They may have been performing reconnaissance on your company for months or even years. My advice is to give the pentesters basic employee access at a minimum. Let them see what an attacker could do if they were able to compromise an employee through phishing or if the company had a disgruntled employee with access to company systems.
- Hire a professional
Pentesting companies are not all made equal. Make sure to find a well-respected, well-trained, reputable organization to perform your pentest. This is serious business. You don’t want to hire someone who will miss sever issues, and you don’t want someone who may bring down your organization’s network. Do your research. Look for certifications such as SANS GIAC certifications. Discuss with your peers for reviews.
- Budget for it
Find a way to fit a yearly pentest into your budget. I know it’s not cheap, but it’s important to realize that there are paid pentests and free pentests. And trust me, you don’t want to wait until you get a free one to learn about your vulnerabilities. In the end, the cost of the “free” pentest will far surpass the cost of the paid pentest. By the way, don’t try to find the free pentests. They are being performed by the criminal organizations. You won’t find them, they will find you. Hire a professional before it gets to that point.