Back

Lifewire: Phishing Is More Common (and More Dangerous) Than Ever—Here’s How to Stay Safe

On September 28, NetSPI’s Patrick Sayler was featured in the Lifewire article called Phishing Is More Common (and More Dangerous) Than Ever—Here’s How to Stay Safe. Read the preview below or view it online.

+ + +

New figures show that fraudsters are increasingly using phishing and similar methods when gaining access to user information and accounts, but there are a number of ways people can help protect themselves.

Data collected by the Office for National Statistics (ONS) in England and Wales show that instances of computer misuse and fraud have increased in recent years, particularly since the onset of the COVID-19 pandemic and recent cost of living increases. But while bad actors are beginning to turn to phishing as one of their main methods of committing fraud, experts say that doesn’t mean people can’t take steps to minimize the chances of falling for those attempts.

“Overall, individuals need to make security part of the fabric of their everyday routines, Jamie Moles, Senior Technical Marketing Manager at security firm ExtraHop, told Lifewire via email. “Everyone holds a level of responsibility in combating phishing attacks, and positive reinforcement, continuous education, and solid feedback loops are all key to making it stick.”

Fighting Back

Experts like Moles believe that people can help reduce the chances of becoming a victim of phishing by taking more care when scrutinizing email messages that they receive. “Check the sender’s email address,” he said, noting that “this is often an easy red flag that users miss when they’re in a hurry, or it looks like the note came from their boss or CEO.” Phishing attempts are often made to look like they came from an authority figure, making potential victims less likely to question a request for information, for example.

Any call initiated by a third party should initially be treated as suspicious because they might not be who they say they are. “Situations involving [calls and messages] can be independently verified through the relevant company’s web page,” Patrick Sayler, principal security consultant at NetSPI, told Lifewire via email. If in doubt, call them back on a number known to be legitimate and not necessarily the one they called you from.

You can read the full article at Lifewire!

Back

NetSPI Champions Cybersecurity Awareness Month 2022

Penetration testing leader joins list of organizations empowering individuals and businesses to bolster proactive cybersecurity measures.

Minneapolis, MN — NetSPI, the leader in enterprise penetration testing and attack surface management, has signed on as an official Champion of Cybersecurity Awareness Month 2022, an annual initiative held each October to promote cybersecurity awareness and best practices. The Cybersecurity Awareness Month Champions Program is a collaborative effort among businesses, government agencies, colleges and universities, associations, nonprofit organizations, and individuals committed to the growing importance of cybersecurity in society.  

Cybersecurity Awareness Month is co-led by the National Cybersecurity Alliance and the Cybersecurity and Infrastructure Agency (CISA). This year’s campaign theme is “See Yourself in Cyber,” demonstrating that while cybersecurity may seem like a complex subject, ultimately, it’s really about people. 

“Technology cannot solve our greatest cybersecurity challenges – at least, not on its own. People are our greatest asset in providing security for individuals, organizations, and the nation,” said Heather Crosley, VP of People Operations at NetSPI. “Empowering people to make smart decisions, supporting limited resources with technology innovation, and fostering the next generation of skilled cyber talent are three critical ways we can combat sophisticated cybersecurity threats in both the private and public sectors.” 

To encourage individuals to explore a career in penetration testing and help lessen the current skills gap, NetSPI developed NetSPI University (NetSPI U), an extensive entry-level training program where candidates gain a baseline skill set to execute web application and external network penetration tests. Led by NetSPI’s own expert pentesters, NetSPI U features classroom-based learning, hands-on labs, and opportunities to shadow some of the most brilliant minds in cybersecurity. Trainees also can contribute to new and innovative pentesting tools, techniques, and methodologies. 

Crosley added: “The industry needs people who are self-starters, curious, eager to learn, and want to make a difference in society at large. From there, the rest can be developed by supporting career-oriented initiatives like NetSPI U.” 

For more information about NetSPI U, please visit www.netspi.com/careers. Learn more about Cybersecurity Awareness Month 2022 at staysafeonline.org/cybersecurity-awareness-month.  Check out these additional resources that align to this year’s theme: 

About NetSPI 

NetSPI  is the leader in enterprise penetration testing and attack surface management. Today, NetSPI offers the most comprehensive suite of offensive security solutions – attack surface management, penetration testing as a service, and breach and attack simulation. Through a combination of technology innovation and human ingenuity NetSPI helps organizations discover, prioritize, and remediate security vulnerabilities. For over 20 years, its global cybersecurity experts have been committed to securing the world’s most prominent organizations, including nine of the top 10 U.S. banks, three of the five largest healthcare companies, the leading cloud providers, and many of the Fortune® 500. NetSPI is headquartered in Minneapolis, MN, with global offices across the U.S., Canada, the UK, and India. Follow us on Facebook, Twitter, and LinkedIn.   

About Cybersecurity Awareness Month

Cybersecurity Awareness Month is designed to engage and educate public- and private-sector partners through events and initiatives with the goal of raising awareness about cybersecurity to increase the resiliency of the nation in the event of a cyber incident. Since the Presidential proclamation establishing Cybersecurity Awareness Month in 2004, the initiative has been formally recognized by Congress, federal, state and local governments and leaders from industry and academia. This united effort is necessary to maintain a cyberspace that is safer and more resilient and remains a source of tremendous opportunity and growth for years to come. For more information, visit staysafeonline.org/cybersecurity-awareness-month/  

About National Cybersecurity Alliance 

The National Cybersecurity Alliance is a non-profit organization on a mission to create a more secure, interconnected world. We advocate for the safe use of all technology and educate everyone on how best to protect ourselves, our families, and our organizations from cybercrime. We create strong partnerships between governments and corporations to amplify our message and to foster a greater “digital” good. National Cybersecurity Alliance’s core efforts include Cybersecurity Awareness Month (October); Data Privacy Week (Jan. 24-28th); and CyberSecure My Business™, which offers webinars, web resources and workshops to help businesses be resistant to and resilient from cyberattacks. For more information, please visit https://staysafeonline.org

Back

CISO Perspectives: Cybersecurity Budgeting Edition

It’s time to tackle the elephant in the room. The often awkward and uncomfortable conversation every CISO must hold with their board and executive teammates around this time of year. That’s right – we’re talking cybersecurity budget and metrics. 

‘Tis the season for planning your cybersecurity activities. With rising threats and increasing breach-related financial repercussions, it’s likely many of us will need to communicate the need for additional dollars and resources. And this is no easy feat. 

We won’t pretend that we’re the experts on cybersecurity budgets, though, we do know a thing or two about optimizing your penetration testing budget and the factors that influence the cost of a penetration test. So, we tapped the experts for advice during recent episodes of the Agent of Influence podcast. 

Podcast host and NetSPI Managing Director Nabil Hannan asked three experienced CISOs — Cecil Pineda (R1 RCM), Rob LaMagna-Reiter (Hudl), and Samir Sherif (Imperva) — for tips on measuring security ROI and how to communicate budgeting needs. Here is what they had to say. 

What metrics are effective when presenting your cybersecurity budget needs to the board or C-Suite? 

Cecil Pineda, SVP/CISO at R1 RCM: Today, we’re seeing a lot of usable metrics. Some organizations like to look at the negatives. You could highlight all the incidents that you’ve experienced, how many risks you have in a risk register, how many non-compliant items are in your compliance programs, and how many risks are critical, medium, or low. 

For many years, I felt fear, uncertainty, and doubt. This can be useful, but it doesn’t always help me communicate my needs. My leadership team was in on our security program, asking where our competitors are at. How does our program benchmark against others in our industry? Where do we want our scores to be? 

Maturity metrics, particularly the NIST Cyber Security Framework (CSF) metrics and the Capability Maturity Model Integration (CMMI) framework, have helped me measure my program. For example, in the healthcare industry, the average CSF score is about 2.8 or 2.9. If you start your program at 2.3, you have to think about how do I get to 2.8? Though, ideally, you want to target higher than 2.8 so that you’re aiming above the industry average.  

Then, identify all the opportunities to get there. It could be people, it could be processes, or it could be technologies. These are the things that we need to improve.  

Samir Sherif, CISO at Imperva: My focus has always been less about specific data points. If you’re running one program, it’s less about getting numbers off that program to show value. For example, if it’s a vulnerability management program, it’s not just about reducing vulnerabilities. 

How is security making a difference in generating more revenue for the business? How is that adding value to improve customer communications or reduce risks for the organization? That’s what they really care about and look for.  

At the end of the day, we are risk leaders. That’s all we are. But we have to have the same kinds of conversation as the IT and engineering leads might around providing value and building efficiency over time.  

So, the metrics I’ve leveraged is a combination of showing risk data, but also resiliency data. It’s a combination of how my capabilities, programs, and the leaders that work for me, are delivering to help move the needle and enable the business to move faster and grow. And that’s what really resonates with senior leaders and the board. Ultimately, you end up getting more budget to build upon that. 

Rob LaMagna-Reiter, CISO at Hudl: I’ve searched and searched, and to date, I’ve not found a single, consistent, reliable metric that can make the case for more budget or showcase ROI.  

With that said, there are several areas that you can consider. First off, everything is personalized. But I’ll try to provide some examples of tactics I’ve used in the past that start very generally, and over time, you can tweak those to your specific business.  

Let’s say you’re starting out and you’re convinced that you’re seeing an underinvestment in information security. There are plenty of benchmarks out there, everything from the security dollar spent per full-time employee, security budget as a percentage of the IT budget, security budget as a percentage of revenue, and so forth.  

You can use those low, moderate, or high averages as benchmarks to showcase where you fall along that path. There’s also something called the “cybersecurity poverty line” that was illustrated many years ago. It showcases organizational revenue and resources and helps illustrate where along that line organizations possibly are investing versus where they shouldn’t be investing.  

You can also use business drivers, such as acquisitions. You can formulate a weighted average cost per IT asset required for security. Then, as the business grows, security is already an assumed cost of doing business. Most importantly, I found that it always needs to be aligned with that business growth in the strategic objective. 

These are a few ways to get started. As you’re working through your program, it is important to understand what business leaders care about. Have you enabled my availability and uptime? Have you shown improvement year over year? There are always parts of the business that are growing faster than the overall weighted average of either revenue or top line growth. You need to be increasingly aware of the scope of those situations and how it impacts security. 

Remember, it’s not that the board and leadership team doesn’t want to spend on security, they just want to know that the resources and the budget will enable the growth in business resiliency.  

Many of the examples I’ve shared have dollar value components, but it requires a lot of analysis and partnership with business units to get to an agreed-upon state so we can showcase both budget asks that are rooted in reality, as well as ROI. I wish there was an easy figure or benchmark I can provide you, but everything is very personal to your business.  

It requires a solid relationship with not just your CFO leadership team but across all of your peers and board to make sure that we’re all on this journey together. We’re not going to get everything we want every single year. But if we’re making incremental and iterative improvements in the right direction, you’ve done your job as a security leader. 

Beyond metrics and objective data, are there other tactics that work well for you when communicating your cybersecurity budgeting needs? 

Cecil Pineda: There are many ways to communicate without data. I’ve learned this from many great CISOs before me. One of the most effective tools in our arsenal is storytelling. You can tell a really good story, but you have to align it to your leaders.  

Today, a lot of our board of directors and senior leadership are tech savvy. We see it in the news. They know all the risks and threats and all these security controls that are at our disposal. Having a good story to tell that includes here’s where we are and here are some of our challenges is important.  

There are so many things that can’t make it into a slide deck. When I’m presenting, I always try to make sure that I tell the story behind those metrics. Those stories are very powerful. When I was a first-time CISO, I’ll be honest with you, I didn’t know how to tell a story. I was just relying on data always. But it wasn’t enough. 

As I went on to different companies and different roles, I’ve learned how to craft a strong story. I recently learned that my CIO is actually a former CISO and an academic. I listen to him and I watch him. I’m still amazed how he can tell a really good story and be able to drive people together and gain support with stories. 

Samir Sherif: Before you even build any ROI models or metrics, make friends with your CFO and CFO teams. At the end of the day, they’re the ones who are going to help you keep the lights on and also make sure that you’re budgeting and spending appropriately. 

Being at the table and not thinking that cybersecurity is a priority everybody needs to worry about is concerning. Just like an athlete needs to worry about their health, cyber professionals need to worry about the health of their organization. But there’s also performance demand, right? 

Being a part of a team that can have a good conversation around what’s the greater objective and strategy is key. Helping influence that strategy is important to be successful in the field that we’re in. 

Rob LaMagna-Reiter: I like to take real business workflows or issues in the organization and help paint a picture and showcase what operations would be like if my ask, or if an above-average project, is approved.  

It’s about connecting those crown jewels in the business to something that leadership knows is tangible. They want to be able to see the benefits and efficiencies. You have to remember, at the end of the day, nobody cares about cybersecurity or information security as much as we do. They do care, but it’s not their day-to-day as it is ours.  

It’s about storytelling versus fear-mongering. Over coffee or lunch, get to know your leadership team’s motivations. And don’t always assume the worst case scenario. Always approach them with empathy. 

Showcase cybersecurity against peers within our verticals or organizations of other similar sizes. Tie it to the business initiatives and showcase why it is necessary and clearly state what your recommendations are.  

Something that I’ve learned over time is you never want to leave with only one recommendation. You always want to offer leadership with, at minimum, two options. One is obviously going to be your preferred path. But leadership will want to see that you’ve thought through some of the ramifications. Get creative. There are always going to be trade-offs. Leadership will appreciate the time and effort and will take your recommendation to heart and open it up for discussion. Tunnel vision can sometimes lead to less budget getting approved. 

Listen to the full episodes of the Agent of Influence podcast online, or wherever you listen to podcasts: 

This post is part of a series on cybersecurity budgeting. Check out these additional resources:  

Back

Components of an Effective Penetration Testing RFP

You are unhappy with your current pentesting provider; automated testing isn’t providing the results you need; you are required to rotate your pentesting vendor annually; a budget request was approved for your organization’s first penetration testing program.  

Whatever the reason, most security leaders will find themselves taking part in the pentesting vendor selection process at some point in their career. 

Embarking on the search for a new vendor is no easy task. Especially in today’s marketplace with hundreds of partners that have varying methodologies and expertise. To effectively choose a penetration testing company that will be the best fit for your organization you must be careful in the questions you ask.

A penetration testing Request for Proposal (RFP) communicates essential information about the project and services you need – including the logistics of the project, such as objectives and timeline. A detailed and focused RFP questionnaire can set the trajectory for the success of your program.  

So, what exactly makes an effective penetration testing RFP? Let’s take a look at a few core components.  

Security Testing Objectives 

When writing an effective RFP, be sure to answer these questions:  

  1. How will we use the test results?
  2. What do you hope to achieve with these services? 

Clearly defining your test objectives at the start will help vendors better understand how your organization views pentesting, what services to recommend, and what methodology to use to achieve those objectives.  

Business Overview 

You can’t expect a vendor to recommend services without a baseline understanding of your business. What does your organization do? What types of data do you store or process? What’s at risk if you were to experience a security incident? 

Selection Criteria 

Establish clear criteria to weed out the outliers and create a pool of qualified partners. Define what you are looking for in your vendor partner and, if applicable, explain what was lacking in your past partner(s). 

Recommended Services  

Additional emphasis on “recommended.” Leave the services recommendations section open-ended to allow vendors to provide strategic suggestions that extend beyond your initial proposal if they see the need for it. 

Pricing Summary 

Pricing is one of the more foundational components of an RFP, or as some call it, a Request for Quote (RFQ). Beyond asking for a general quote estimate, ask vendors to break down how they price their services, how change orders are processed, how they handle out-of-scope adjustments, vulnerability retesting costs, and any other logistical information. This extra information will help you avoid hidden costs in the future. 

Penetration Testing Methodology 

The section digs into how the pentest will be performed. It is arguably one of the most important pieces of an RFP for penetration testing.  

Some questions to consider: How do they ensure consistency? What is their vulnerability validation process? How do they escalate the discovery of high and critical vulnerabilities? 

At a very high level, there are three core pentesting methodologies to keep an eye out for: 

  • Automated, technology-driven testing. Similar to a SaaS delivery model. 
  • Manual testing using available resources. 
  • Hybrid testing approach that leverages a combination of automated and manual testing. See: NetSPI’s Penetration Testing as a Service (PTaaS) approach. 

The methodology you ultimately choose should depend on your organizational objectives and needs.  

Vendor Risk Management Questionnaire 

Vendor risk management, third party risk management, supply chain security… regardless of what you call it, it’s crucial that you ask vendors what security practices they have in place to protect the integrity of your data. Here are five core initiatives to inquire about: 

  • Company policy for performing screening and background checks on employees to ensure that none of the people hired pose an information security threat. 
  • Training processes to inform employees on the privacy, security policies, and procedures necessary to meet the obligations of this project. 
  • How the vendor will protect and store your data at rest and in transit and how/when the data is purged from their systems. 
  • Third party risk management policies and details. 
  • Business Continuity Plan. 

References  

Now it’s time to evaluate the vendor’s ability to complete the project. Ask the pentesting vendor to provide 3-4 references for you to review. This is validation that they are familiar with your industry, your objectives, and the type of services requested. 

Download our Penetration Testing RFP Template 

The RFP process may feel administrative and tactical on the surface. But a strong pentesting RFP is foundational to your overall security program success.  

Choosing the wrong pentesting partner can leave organizations in a challenging and expensive situation.  

To help, NetSPI examined the thousands of RFPs we’ve participated in to create a comprehensive template RFP for penetration testing services. In the template, you’ll find prompts and example questionnaires for the above components – and much more. Best of luck with your search!

Penetration Testing RFP | Downloadable Template
Back

Payments Journal: Three Actionable Metrics Banks Can Track to Stay Ahead of Cybercriminals

On September 20, Payments Journal featured NetSPI Managing Director Norman Kromberg’s article on Three Actionable Metrics Banks Can Track to Stay Ahead of Cybercriminals. Read the preview below or view it online.

+++

If asked what the top industry for cyberattacks is, everyone would likely mention financial services. Banks, specifically, continue to be one of the top targets for cybercriminals, due to the critical assets financial institutions possess – primarily personal customer data and money.

It is one of the most targeted sectors for a reason, with the cost of cybercrimes being the highest in the banking industry, reaching $18.3 million annually per company. But, the financial industry is also known to have some of the most mature cybersecurity programs, which equates to quick remediation.

In recent years, we’ve seen a rise in digital banking, which was largely accelerated by the pandemic. This has led to an increased, more complex attack surface for cybercriminals, and more entry points.

In fact, in the first half of 2021 alone, the industry reported 30% more ransomware attacks than in all of 2020. As a result, regulators and cyber insurance underwriters have become stricter, making it vital – and often required – that banks, and the financial industry as a whole, have offensive cybersecurity strategies in place that are tailored to their unique threat landscape.

As financial institutions grapple to adhere to these mandates, many have seen the value in metrics in meeting such strict requirements. There are many ways to utilize metrics for business success, including determining a company’s IT footprint, time to breach remediation, and revenue being prioritized for security measures, just to name a few. In this piece we’ll dive into three of the top metrics cybersecurity experts can use to adhere to regulatory demand.

Read the full article at Payments Journal!

Back

The CyberWire: White House issues a memorandum on software supply chain security

On September 15, NetSPI CTO Travis Hoyt was featured in The CyberWire article, White House Issues a Memorandum on Software Supply Chain Security. Read the preview below or view it online.

+++

White House issues a memorandum on software supply chain security.

The White House yesterday issued guidance for Federal agencies’ use of software security practices. The memorandum instructs agencies to obtain a self-attestation from software providers that their products are in line with NIST’s security guidelines:

“Ensuring software integrity is key to protecting Federal systems from threats and vulnerabilities and reducing overall risk from cyber-attacks. The NIST Guidance provides ‘recommendations to federal agencies on ensuring that the producers of software they procure have been following a risk-based approach for secure software development.’ Federal agencies must only use software provided by software producers who can attest to complying with the Government-specified secure software development practices, as described in the NIST Guidance.”

Chris DeRusha, Federal Chief Information Security Officer and Deputy National Cyber Director, said in a statement, “The guidance, developed with input from the public and private sector as well as academia, directs agencies to use only software that complies with secure software development standards, creates a self-attestation form for software producers and agencies, and will allow the federal government to quickly identify security gaps when new vulnerabilities are discovered.”

Industry experts were quick to comment on the new guidelines.

Travis Hoyt, CTO of NetSPI, sees implications not just for code, but for the environment in which code is developed:

“Today’s guidance from the Biden administration not only dictates the effort software developers must put into their code, but how they manage their own environments, as well. First, the introduction of a Software Bill of Materials (SBOM) is bound to have the greatest impact to security, but it also brings with it a learning curve as creating an SBOM may be a net new requirement for some firms. Additionally, the ubiquitous use of open source software means that developers leveraging these packages must pay greater attention to who is contributing to them and what is being incorporated into their products.

“Proactive penetration testing and source code review will prove critical to ensuring that given the changes, organizations are adhering to the latest guidance properly to better protect the software supply chain. Overall, this latest guidance is a step in the right direction for supply chain security, which has continued to plague the public and private sectors for far too long.

You can read the full article at The CyberWire!

Back

Security Magazine: National Insider Threat Awareness Month 2022

On September 8, NetSPI Managing Director Nabil Hannan was featured in Security Magazine’s article on National Insider Threat Awareness Month 2022. Read the preview below or view it online.

+++

September is National Insider Threat Awareness Month, which emphasizes the importance of safeguarding enterprise security, national security and more by detecting, deterring and mitigating insider risk.

The risks of espionage, violence, unauthorized disclosure and unknowing insider threat actions are higher than ever; therefore, maintaining effective insider threat programs is critical to reducing any security risks and increasing operational resilience.

National Insider Threat Awareness Month is an opportunity for enterprise security, national security and all security leaders to reflect on the risks posed by insider threats and ensure that an insider threat prevention program is in place and updated continuously to reflect the evolving threat landscape.

Below, in honor of National Insider Threat Awareness Month, security leaders offer advice on how to reduce insider threat risks effectively.

Nabil Hannan, Managing Director, NetSPI:

To account for internal threats, there must be a mindset shift in what constitutes an organization’s threat landscape. Most companies focus exclusively on external threats and view their own people as trustworthy. As a result, insider threats are often under-addressed cybersecurity threats within organizations. We learned with SolarWinds that detecting such a threat is vastly different from traditional pen testing, code review or other vulnerability detection techniques. 

Security teams need to move from only looking for vulnerabilities to also looking for suspicious or malicious code. With a vulnerability, the threat actor interacts with the attack surface in a way that exploits a weakness. With malicious code, the threat actor is either choosing or creating the attack surface and functionality because they have control over the system internally. 

So, instead of the threat actor exploiting vulnerabilities in the attack surface, now the threat actor creates the attack surface and exercises the functionality that they implement. Failing to implement threat modeling that studies potential threats to both vulnerabilities and malicious code can set your organization up with a false sense of security.

You can read the full article at Security Magazine!

Back

Security Guy TV: Threat Hunting with Scott Sutherland of NetSPI

On August 26, NetSPI’s Scott Sutherland was featured in episode 2732 of the Security Guy TV. You can read the summary below or watch the video online.

+++

  • PowerHunt and PowerHuntShares are open-source tools useful for 1) people hunting for vulnerabilities in software or environments and 2) people looking for an active threat in an environment.
  • PowerHuntShares looks for misconfigured network shares. It goes out to Active Directory, pulls down a full inventory of all the computers in the environment, and evaluates all of their shares to identify which ones are the highest risk.
  • PowerHunt identifies existing threats in an environment or potential existing threats. It goes out to Active Directory and pulls down a list of all the computers in the environment. Then it uses PowerShell remoting to collect data from 25 different data sources to hunt for malicious activities.
  • Ransomware threat actors share a lot of common behaviors: clearing security logs, using standard persistence methods, etc.
  • Zero trust is a natural evolution of the Principle of Least Privilege.
  • Open source is a great way to help people learn, grow, network, and collaborate. It helps generate awareness of issues – like the share problem – and acts as a leverage for companies to go and get budget for commercial tools that can do ongoing monitoring or identification of issues in the environment.
Back

How Much Does a Penetration Test Cost?

How much does penetration testing cost? Short answer: It depends.

At its core, penetration testing services enable IT and security teams to demonstrate the efficacy of existing security controls and improve the security of networks, applications, cloud, and even physical locations. This is done by simulating the actions of a skilled threat actor to discover key areas of insecurity

The cost of a penetration test can differ based on several variables – from pentesting methodology to the complexity of the target.

Ultimately, it begins with the requirements of each organization and the key objectives you hope to get out of your pentesting results. Common penetration testing goals and objectives include: 

  • Compliance with security testing requirements from a third-party authority, such as the HIPAA Security Rule, PCI Security Standards, or industry regulators (e.g., OCC, FDIC, FRB, State Bank Regulators – NYDFS).
  • Hardening application security prior to deployment.
  • Managing code change.
  • Validation and benchmarking of existing security controls.
  • Support internal IT, development, and security teams.
  • Reducing incidents and breaches.

Knowing which variables impact the cost of a penetration test will allow you to strategically allocate budget based on your cybersecurity program objectives, your organization’s risk tolerance, and compliance and regulatory requirements. My goal is to help you better understand the cost components to ensure you’re paying only for what you need. Interested in learning how to optimize your penetration testing budget? Read our guide.

As you evaluate your cybersecurity budget for next year, keep these six core components in mind.

Download: How Much Does Penetration Testing Cost?

1. The Complexity of the Penetration Test Environment

It’s important to consider the criticality of the environment. One with a high level of risk or critical business impact (your “crown jewels”) can cost more to test due to urgency, the number of people it affects, and its role in day-to-day business operations.

Will the test require overnight testing or extensive travel? Ensure you budget for these nuances.

Multiple types of penetration testing services exist. There’s network pentesting, application pentesting, and cloud pentesting, as well as red team operations, to name a few. The time, effort, and resources required for each test may differ based on the complexity of the environment and the size of the attack surface. Here are a few examples of how complexity can influence cost: 

Application Penetration Testing

A two-page application with one user role is less expensive to test than an application with multiple user roles and varying levels of access. Some components that contribute to the complexity of the app include: 

  • Production vs. non-production applications
  • Number of dynamic and static pages (or screens)
  • Number of unique API requests serving content
  • Number of endpoints
  • Number of user roles, type of role, and their levels of access

Cloud Penetration Testing

The complexity of a cloud pentest depends on how it’s configured in your organization, the assets stored on the cloud, and the number of people who utilize it. Other elements include:

  • Type of testing required (internal testing, external testing, or configuration review)
  • Cloud architecture (AWS, Azure, or Google Cloud)
  • Number of systems and services on the cloud
  • Number of tenants or business units  

Social Engineering Penetration Testing

These security exercises assess a company’s ability to identify and respond to real-world attack and breach scenarios in real-time. The level of complexity varies based on the type of assessment. With social engineering, assessments can range from an email phishing campaign to a full-blown on-site physical pentest. Other considerations include:

  • Automation vs. human-led assessments   
  • Time box  
  • Number of pre-defined targets  

2. Regulatory Compliance

Compliance requirements vary across industries, geographies, and more.

The pentest requirements in the payment card industry differ from healthcare and financial institutions, governed by well-known standards such as PCI DSS, HIPAA, and FINRA, respectively. Highly regulated industries such as banks and healthcare require more in-depth and frequent pentests, while industries such as technology, higher education, and nonprofits demand less extensive pentests due to fewer regulatory requirements. Geography can also influence the depth of security activities required by your local, state, and federal laws.

Additionally, customized reporting for your compliance requirements warrants additional time and dedication from your team, which can also increase the cost of a pentest.

While compliance may be a core objective for your organization’s pentesting program, at NetSPI, we encourage a risk-based approach to security. You can learn more about this in the SC Media article I wrote, Rethink Your Cybersecurity Resiliency Using a Risk-based Strategy.

3. Penetration Testing Methodology

Pentesting companies and internal teams develop their own penetration testing methodology, but many are derived from the top three globally recognized frameworks: OWASP, NIST, and MITRE ATT&CK.

These frameworks serve as a great resource due to their adaptability and level of standardization over the years.

With these frameworks as a baseline, some vendors rely entirely on automated pentesting, others manual. Others take a hybrid approach. Automated pentests yield results quickly and are typically inexpensive, but they cannot detect all security vulnerabilities or chain together low-risk vulnerabilities to identify areas of weakness. They simply aggregate surface-level data, which can check the box for some organizations.

A manual pentest on the other hand can yield detailed, critical-level results and explanations but is lengthy and relies heavily on the tester assigned to your project. Each has its pros and cons, but the most strategic and cost-effective pentests utilize both.

NetSPI uses a team-based approach supported by our Resolve™ Penetration Testing as a Service (PTaaS) platform. We combine automated pentesting and manual pentesting to deliver the highest quality vulnerability findings efficiently and consistently.  

4. Pentest Depth and Breadth

Manual pentesting can drive up costs but provides the greatest value: uncovering business critical vulnerabilities that tools cannot. If a vendor quotes you lower than the average pentest cost of other vendors, I recommend exploring their methodology deeper to understand the depth and breadth of the pentest.  

It all comes down to the depth and breadth of the checklist, methodology, and tenure of the pentester – the insights and perspectives that have been brought into that methodology and approach.   

A word of advice? Any pentest on a medium-sized application with multiple user roles listed at $4,000 is probably not a true penetration test.   

Alternatively, consider a source code assisted penetration test. A source code assisted penetration test offers many benefits:  

  • More thorough results  
  • More comprehensive testing  
  • More vulnerabilities discovered  
  • No added cost   
  • Much more specific remediation guidance for identified vulnerabilities   

5. Remediation Testing  

Paying a third-party for remediation testing will cost more, but the value of retesting typically outweighs the cost. With it, you gain peace of mind that the remediation steps taken were effective and that the vulnerability does not persist. Additional remediation-related tasks that may drive costs up include in-depth remediation support and guidance.   

The number of vulnerabilities being retested following remediation directly affects the penetration test cost. A word of caution: some vendors automatically bundle remediation into their pricing model for all vulnerabilities. Often, this level of remediation testing is unnecessary, given many organizations balance testing between internal and external teams. You shouldn’t be charged for something you don’t need.  

Some firms, like NetSPI, have transitioned to a “pay for only what you need” a la carte approach which significantly reduces costs and ensures you do not overpay for remediation testing. You only pay for the number of vulnerabilities you need retested. If you have an in-house team validating vulnerabilities, you won’t get charged for this extra step. Or, if you uncover only a few critical vulnerabilities, you can choose to only retest and validate that the issues that pose the greatest risk to your business were resolved.   

6. Quality and Expertise of Pentesters  

When you pay for a penetration test, you pay for the quality and expertise of your pentesters.   

Consider working with teams that hold industry standard certifications. For example, CREST-certified penetration testing companies are known to demonstrate competency and consistency in their services. You can learn about other valuable certifications in this CSO article, 8 Top Penetration Testing Certifications Employers Value, including:  

  • Offensive Security Certified Professional (OSCP)  
  • Offensive Security Wireless Professional (OSWP)  
  • EC-Council Certified Ethical Hacker (CEH)  
  • SANS offensive security courses 

Certifications alone are not enough. Like in any field, proven, hands-on experience is invaluable. An experienced partner should be familiar with the scope and type of assessment and should have experience testing similar sized organizations and industries. Less experienced or established partners may charge less.   

This factor also directly correlates with the complexity of the environment being tested. Complex environments – mainframe, IoT, etc. – require more experienced pentesters.  

It’s important to note that choosing a penetration testing partner backed by years of experience and equipped with the necessary tools for the engagement can save you money in the long run. Experienced, quality pentesters can identify critical security vulnerabilities that others miss.  

One Size Pentest Does Not Fit All  

So, how much does a penetration cost? It depends.   

The six factors above play a critical role in how your costs will change and the results you receive. Use these as a baseline to help you identify a solution and partner that fits your organizational priorities and cybersecurity budget.  

As you evaluate your testing program and budget, you’ll quickly find many providers in the space. Beyond the factors that influence the average cost of a pentest, here are four criteria to help you choose a penetration testing partner:  

  • Select an agile team. They’re always improving their processes to meet the ever-changing needs of the business.   
  • Look for consistency: They should also have a consistent and standardized methodology built around the delivery of quality, service, and results. Your test shouldn’t only be as good as the latest tester assigned.  
  • Select a team that spends more time on the actual testing versus the administrative tasks. Enable your pentesting team to use creative approaches to find business logic vulnerabilities.  
  • Decide how much external support you want or need from a remediation standpoint.  
  • Ask about their pentesting talent, processes, technology, and culture to ensure you’re working with a team that meets your objectives.  

There are many factors that determine the cost of a penetration test. When looking for a penetration testing partner, consider a team like NetSPI that will look out for your best interest both from a financial and risk perspective. 

This post is part of a series on cybersecurity budgeting. Check out these additional resources: 

Back

VMblog: September is National Insider Threat Awareness Month – Experts Weigh In

On September 6, NetSPI Managing Director Nabil Hannan was featured in VMblog’s article on September is National Insider Threat Awareness Month – Experts Weigh In. Read the preview below or view it online.

+++

September marks National Insider Threat Awareness Month, a time dedicated to emphasize the importance of detecting, deterring and reporting insider threats. This began as a collaborative effort by U.S. government agencies, three years ago and has now grown to both the public and private sector. 

In honor of the month, industry experts have shared their thoughts on different strategies organizations can use to protect themselves from these threats.

Nabil Hannan, Managing Director, NetSPI 

“To account for internal threats there must be a mindset shift in what constitutes an organization’s threat landscape. Most companies focus exclusively on external threats and view their own people as trustworthy. As a result, insider threats are often under addressed cybersecurity threats within organizations. We learned with SolarWinds that detecting such a threat is vastly different from traditional pen testing, code review or other vulnerability detection techniques. Security teams need to move from only looking for vulnerabilities to also looking for suspicious or malicious code. With a vulnerability, the threat actor interacts with the attack surface in a way that exploits a weakness. With malicious code, the threat actor is either choosing or creating the attack surface and functionality because they have control over the system internally. So, instead of the threat actor exploiting vulnerabilities in the attack surface, now the threat actor creates the attack surface and exercises the functionality that they implement. Failing to implement threat modeling that studies potential threats to both vulnerabilities and malicious code can set your organization up with a false sense of security.”

You can read the full article at VMblog!

Discover how NetSPI ASM solution helps organizations identify, inventory, and reduce risk to both known and unknown assets.

X