In my journey as a cybersecurity professional, I provide a wide variety of services to an even wider variety of clients. Within those services, there is one underlying value that I have come to appreciate above the rest: removing a false sense of security, which can be one of the most dangerous and common challenges of modern information security.
In a world of ever-changing information technology, getting comfortable isn’t always a good thing. A false sense of security can prevent the kind of questioning, testing and general concern that leads to continued improvement of an organization’s security.
Most importantly, a false sense of security obscures the true risk and impact of cybersecurity vulnerabilities, leaving management to make critical decisions regarding resource allocation and long-term roadmaps with inaccurate and incomplete information.
The unknown has always been and always will be one of the greatest challenges to security. It’s incredibly difficult for someone to effectively defend against an unknown method of attack. That’s why it’s so important for us, as security professionals, to constantly be identifying the unknown.
We attempt to identify the unknown by questioning our security controls, researching the latest techniques, verifying our detection capabilities, and reviewing our high-level and technical strategies for potential improvements. But at the end of the day, no matter how much progress we make, we are all still limited by the fact that people don’t know what they don’t know. Despite our best efforts, there will always be a new technique or an obscure vulnerability of which we are (so far) unaware.
This fundamental limitation is what enables penetration testing to be so valuable. A properly scoped and performed penetration test will identify the unknowns of an organization’s security and remove a false sense of security by demonstrating techniques that bypass those securities. That’s why so many organizations depend on penetration testing services to shine light on the unknown and help guide their security strategies.
It’s important to note, however, that not all penetration tests are created equal. One of the goals of this article is to educate consumers on the differences between a commodity penetration test and a high-quality penetration test.
Commodity Penetration Testing
A commodity penetration test will often use a standard, nonflexible approach, with a minimal scope. Its focus is on technical vulnerabilities because it is reliant on automated scanners. If the scans don’t identify any vulnerabilities, the test is over. This is an automated and binary approach, whereby the scanner only checks for missing patches. Any vulnerabilities identified by the scans will be presented via automated reporting with limited or no recommendations. Communication during the testing is minimal, and once the report is delivered the engagement is done.
High-Quality Penetration Testing
A high-quality penetration test will use a tailored methodology and flexible approach. The scoping processes should be collaborative and include as few restrictions as possible to best simulate a realistic threat actor. It should leverage all forms of vulnerabilities and exploits, including using social engineering, web application exploits and other realistic intrusion techniques. The reporting process should be very customized and impact-focused. Every finding should come with a detailed recommendation for potential remediation. Most importantly, the communication before, during and after the testing should be extensive and lead to a continued partnership.
The issues caused by these differences are not specific to small organizations. I have come to learn that nothing can be assumed about the effectiveness of an organization’s cybersecurity based on size, industry, resources or culture. Many of our clients have had high-budget annual penetration testing performed for years—with limited findings. We would prefer to state that the limited findings are commonly a result of the client’s exceptional security posture, however, we typically identify limitations to the scope and approach of the previously executed penetration tests that likely caused the limited findings.
Through collaboration with our clients and countless hours of vigilant research and training, we have implemented a more comprehensive and collaborative testing approach, and the results have been noteworthy.
Take, for instance, a recent example where we were able to gain remote access to a client network and eventually obtain domain admin rights to their entire environment by executing a series of crafted intrusion techniques. We then took the time that same day to walk our client through the circumstances that led to our successful compromise. Our client was shocked that none of their previous penetration testers had tried most of the techniques we used. Thankfully, we were able to remove their false sense of security and point to the specific areas of concern, in which they can continue to improve their security. The lesson here is that penetration testing techniques should be constantly evolving, much in the same way new cyber threats continue to emerge. Even after a successful penetration testing experience, it’s wise to avoid becoming overconfident.
There are certain basic steps that all organizations should keep in mind when considering a penetration test. It’s our hope that consumers become more selective with their penetration testers and more involved in the scoping and testing processes. Ask your penetration testers what techniques they’re using and encourage them to find the unknown vulnerabilities, so they can be remediated. If a penetration test comes back with no significant findings, be skeptical.
Lastly, penetration testing is not the only way to combat a false sense of security. Constant internal verification, audits, reviews, research and trainings can go a long way towards identifying the unknown in between penetration testing exercises. Questions are good; the right questions are invaluable.
Please feel free to contact us for more info about what constitutes a meaningful penetration test or any other cybersecurity-related matter.