By Mark Lanterman, Chief Technology Officer, Computer Forensic Services
Carolyn Engstrom, Director of Corporate Compliance
In the fifth and final installment of this cybersecurity series, I will discuss the role of penetration testing in developing a strong security program. As described in my previous four articles, a growing awareness of cybersecurity regulations, trends, and threats has led many organizations to request a penetration test of their technical infrastructure—without really knowing what that means, what its purpose is, and what degree of assurance it really offers.
When I ask if they have already conducted a security assessment, know their controls, have implemented regular vulnerability scanning, and have security auditing procedures in place, they usually respond with “That’s what we’re asking for. We want a penetration test”. In this way, penetration testing and all the other components of cybersecurity plans have become synonymous terms. This conflation is especially prevalent in small to medium-sized firms. However, each component is separate and distinct within a mature security program all serving different purposes, leveraging different methodologies, providing different levels of assurance and benefits, requiring different skills from the assessor, providing different deliverables, and are performed at different stages of a security program’s development. In order to reap the most benefit from a penetration test, the organization should be able to answer the following five questions based on the previous maturity assessment, security risk assessment, and security audits.
- Do we know what is connected to our systems and networks at all times?
- Do we know what software is running, or trying to run, on our systems and networks?
- Are we continuously managing our systems using “known good” configurations?
- Are we continuously looking for, and managing, “known bad” software?
- Do we limit and track the people who have the administrative privileges to change, bypass, or over-ride our security settings?
A penetration test is an attempt to defeat boundary defenses and gain access to an organization’s internal network by exploiting vulnerabilities. This test is used to determine whether an unmitigated risk exists. In this sense, it tests whether an outside attacker could bypass perimeter controls, gain access to the internal network, and establish command and control capabilities. Many techniques can be employed during a penetration test including vulnerability scanning and social engineering attacks.
Social engineering attacks are targeted at exploiting the human vulnerabilities in an organization. Spear phishing emails, unauthorized issuing of credentials, and taking advantage of physical vulnerabilities can all be examples of ways in which an assessor will use social engineering during a penetration test.
If a security assessor is unable to stage a successful penetration test, this confirms that, taken as a whole, internal controls are operating effectively to externally protect the organization from threats. With these results, management may mistakenly assume that the organization is secure. However, unlike broader security audits, a penetration test provides limited assurance to a specific point in time. Depending on the timeline, results could vary substantially. A penetration test conducted one day could fail to reveal serious vulnerabilities that appear the next day. Risk levels are always changing, which is part of why a complete understanding achieved through maturity assessments, security assessments, security auditing, and regular vulnerability scanning is so critical. Penetration testing provides only a glimpse of an organization’s overall security posture.
Ultimately, a penetration test is only a fraction of developing a strong cybersecurity plan. However, the fact remains that it is very important and these tests are frequently required for compliance with regulations. A penetration test’s objective is essentially to circumvent security controls, providing a different perspective than other security audit measures. Therefore, penetration testing may uncover issues that a traditional security audit or assessment may not.
In conclusion, complete security plans incorporate a number of factors, all of which are important in establishing a strong cybersecurity posture. Each stage and technique of the process ought to be regularly conducted in order to provide baselines and comparisons for improvement. But it should be noted that in spite of an organization’s best efforts, no security policy is perfect. Given the constantly changing nature of technology and its inherent risks, security policies have to evolve to meet the demands of our digital landscape.
[clickToTweet tweet=”The Components of Strong Cybersecurity Plans Part Five: Penetration Testing ” quote=”The Components of Strong Cybersecurity Plans Part Five: Penetration Testing ” theme=”style3″]