There are many reasons for an organization to perform a penetration test of its information systems: to meet compliance standards, test a security team's capabilities, or determine the effectiveness of controls, to name a few. A badly scoped or poorly executed penetration test might do nothing more than validate known vulnerabilities, easily identified by software, or reiterate the efficacy of social engineering. However, with some preparation and engagement on the part of the consumer, a penetration test can provide real value to an organization's overall cybersecurity posture. Read on to learn how.
Effective penetration testing has two major advantages over automated scanners. First, human attackers who are determined, experienced, and motivated can discover misconfiguration vulnerabilities that automated scanners can't detect. One example is excessive user permissions that can be exploited to gain unauthorized access to sensitive systems and data. Second, human attackers can achieve their goal by stringing a variety of vulnerabilities together. This series of actions, called the attack path, is one of the most valuable elements of any penetration test report because it provides context for the identified vulnerabilities.
Context, Context, Context
Yes, it's important to know what vulnerabilities exist in your organization's network. But which ones do you spend your finite resources correcting? Which vulnerabilities are easily exploitable, and which aren't? Which put critical assets at risk? Which have to be fixed first? Without this context, you might spend time and money in the wrong place, leaving your organization exposed elsewhere.
A clearly described attack path, derived from a well-performed penetration test, can provide this context. For example, your organization might have an old Windows 2003 server running a mission-critical application. Because the server's operating system is no longer supported by Microsoft, it will never receive patches, even for major, exploitable vulnerabilities. However, if the penetration test discovers that the server is in a properly segmented, hard-to-access network, then the vulnerability is likely of a lower severity. You should still address it, but only after more critical vulnerabilities have been mitigated. This kind of context enables better decisions about the use of finite resources to improve the organization's overall cybersecurity posture.
Get Engaged, Get Value
Consumers of penetration testing can ensure a more valuable engagement for their organization by understanding what a penetration testing team does and by taking an active role from the beginning. Being highly engaged with the testing helps it generate and capture the appropriate context, which will allow the organization to make more informed decisions about where to allocate limited resources to improve its cybersecurity stance.
As you seek out and collaborate with a penetration testing team, consider the following points.
Determine Business Goals Consider what your organization wants to get out of the engagement. What are your high-value assets and associated targets? These should include data assets and business functions, not just technical systems, as we recently discussed in our blog post on cyber hygiene. What controls and capabilities do you want to test (for example, incident response, infrastructure security, policies and business processes, social engineering, physical security, fraudulent activity, or insider threat)? Who is the audience for the final report, what measures and metrics matter to them, and what impact do you want it to have on them?
Enumerate Likely Threats What are the organization's most likely threats (for example, script kiddies, hacktivists, organized crime, or insider threats)? Determine which of these threats the penetration testers should emulate and to what degree.
Establish a Realistic Assessment Scope While considering business objectives and likely threats, determine how realistic you want the penetration testing activities to be. You should arrange to have as much of your network tested as possible. Artificially limiting the penetration testing team's access to your network will preclude useful results. Real attackers are not going to ignore your mission-critical systems or limit themselves to network segments that are the most strictly controlled. You can avoid some risk by evaluating development or test environments instead of production environments, especially if they are mirrored.
Know Your Network Providing information about your network helps the penetration testing team quickly familiarize itself with your environment, generating greater value from the engagement. If the scope is large--for example, a large target network or high number of systems to be tested--and the timeframe for the engagement is short, then you'll need to cooperate more closely with the penetration testing team to produce useful results. If you don't know your network very well, the testing is an opportunity to fill in the gaps. Ask the testing team to include network information in its final report.
Establish Expectations and Stay Engaged Even a well-executed penetration test might cause service interruptions, and it will definitely cause headaches, for example, excessive security logs and alerts that require interaction with the penetration testing team. That being said, a good penetration testing team of course shouldn't go completely rogue and wreak havoc. Everything must be done methodically and ethically. Also, establish a main point of contact in the organization to be in constant communication with the testing team, and giving the team access to other security and information systems staff. Careful planning and strong communication and can alleviate some of the challenges of a penetration test and benefit both parties.
Plan for Post Assessment Engagement A penetration test report is frequently the only tangible output of an engagement. Just after testing ends--or, better, before it begins--talk with the penetration testing team about what you want out of the penetration test report.
Plan Your Next Assessment Penetration tests capture a point-in-time view of your organization's network and vulnerabilities. Future tests will address the challenges from changing environments, new technology, and the ever-evolving threat landscape.
In the first post in this series, I introduced the concept of the Minimum Viable Capability (MVC). While the intent of the Minimum Viable Product (MVP) strategy is to focus on rapidly developing and validating only essential product features, MVC...