Kevin Dawson, our CEO and President, shares his thoughts.
Check out the original article on LinkedIn here.
Don’t get me wrong, penetration tests (or “pen tests”) are an important part of an overall information security plan. But not all pen tests are created equal, and a pen test is not the answer to everything. I have a growing concern when customers, partners, or prospects saying “We need to know how the hacker might get in, we need a pen test” or “We have to be prepared for an incident, we need a pen test!”
Let’s consider that first comment. These days, it’s unlikely that a hacker is going to breach your operation through your website or other Internet-facing services. By now, your house should be in order from a configuration and patching perspective. But a lot of pen tests out there – particularly the free or one-off, fully automated services – only bump up against the perimeter of your organization from the outside. There’s a place for that kind of superficial penetration test, for sure. It’s important to make sure there’s no low-hanging fruit on the branches. But a thorough penetration test – let’s call it an “ethical hack” – just starts with controlled remote attacks on your external services to test their resilience. Then the ethical hackers will be permitted to work from the inside out to test for potential vulnerabilities to social engineering threats. They’ll leave a “safely” infected USB drive in your kitchen to see who plugs it into their computer. They’ll test the security on administration accounts, they’ll test employee awareness through ethical phishing attempts, they’ll scan internal systems for patch compliance, unnecessary services, and compromising system misconfigurations. You can get pen tests that will unearth vulnerabilities in your application software, your networks, your IoT devices. “Pen test” can mean a wide range of things.
Sure, these more elaborate and sophisticated “red team” ethical hacks will cost more, take longer, and involve more commitment from your security team. But the purpose of conducting a test shouldn’t be ticking an audit box or “getting it over with”; the goal should be to probe the areas that are most susceptible to attack to identify and resolve soft spots. The goal should be better protecting your digital assets, your data, your customers and staff, and your reputation. Achieving that goal means both testing from the outside in, and the inside out.
Frankly, the most likely threats these days are internal, either from intentional cybercrime or stemming from an unintentional act. The vast majority of ransomware attacks you read about every day started from someone clicking a link, visiting a site, or downloading a file they shouldn’t have. And once inside, the hackers exploit internal weaknesses and move laterally through your systems in ways an external pen test cannot see. This is why employee awareness is so important – more and more breaches are caused by unauthorized use of valid credentials, so staff need to be on the alert at all times.
By all means, do a pen test – but understand what it will show you, and what it won’t. But test thoroughly, and absolutely test your personnel to ensure they’re adequately trained and relentlessly vigilant.
Let’s look at that second comment. After the description above, it should be clear that the best pen test in the world isn’t going to help your response in the unfortunate event of a successful breach. The answer here is having an incident response plan. It is essential for today’s digital business to conduct a risk assessment, develop an incident response plan, and keep it tested and updated regularly. Consider a fire safety analogy here: doing a pen test is checking whether you have a fire extinguisher; incident response is making sure you know how and when to use it. We recently published an in-depth series on incident response planning which explains more, and we have an outstanding team ready to answer questions and assist you with incident response planning and execution.
So again, by all means, do a pen test – but understand what it is, and what it isn’t.
I’d love to hear more of your thoughts about pen testing, whether they’re cautionary tales or success stories. The more we can learn from each other, the more we can strengthen our resilience against the cyber threats out there. Contact me or my team anytime!