Let’s face it. The chefs in our lives were right when preaching the “clean as you go” philosophy while cooking. Keeping counters and utensils washed and put back in place helps thwart the influx of bacteria and spread of cross contamination that could make us sick. Shouldn’t that same philosophy apply to cyber security, too? Foregoing a “clean as you go” program and conducting a penetration test just once each year may check a compliance box, but ultimately prove to be unsuccessful when it comes to protecting your network and assets from the potential “bacteria” that can enter at any time.
Systems and applications in any organization become alarmingly vulnerable if monitored under a one-and-done scenario. An ongoing and continuous vulnerability management program or penetration testing program is an important guard against the potential threat to your technology assets that hackers pose nearly every second of the day. In fact, a University of Maryland study says that hackers attack every 39 seconds (on average 2,244 times a day). Think of how vulnerable your technology assets are in this environment if only penetration tested once a year.
As an aid to help put structure around a continuous penetration testing program, here are four core considerations that should be a key part of an always-on security program.
1. Prevent Breaches with an ‘Always On’ Testing Mentality
There’s no doubt about it: attack surfaces grow and evolve around the clock. With network configurations, new tools and applications, and third-party integrations coming online constantly, an atmosphere is created that opens the possibility of unidentified security gaps. This white paper points to the fact that cyber-attacks can affect your business and are almost as prevalent as natural disasters and extreme weather events. And we know from our own NetSPI research that nearly 70 percent of CISO security leaders are concerned about network vulnerabilities after implementing new security tools.
And those CISOs’ concerns are valid: take the recent announcement from the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). CISA published security advice for organizations that may have rushed out Office 365 deployments to support remote working during the coronavirus pandemic. A ZDNet article says that CISA warns it continues to see organizations that have failed to implement security best practices for their Office 365 implementation. CISA is concerned that hurried deployments may have led to important security configuration oversights that could be exploited by attackers. With continuous penetration testing in place, security leaders can identify high risk vulnerabilities in real-time and close those security gaps faster.
2. Automation Is a Tool; Human Logic Is Critical
Good pentesters use automated scanning tools (ideally from many different sources) and run frequent vulnerability discovery and assessment scans in the overall pentesting process. Vulnerability scanning is generally considered an addition to manual, deep-dive pentests conducted by an ethical hacker. Manual pentesting leverages the findings from automated vulnerability and risk assessment scanning tools to pick critical targets for experienced human pentesters to: 1) verify as high-fidelity rather than chasing false-positives, and then 2) to consider exploiting as possible incremental steps in an effort to eventually gain privileged access somewhere important on the network.
Purely automated tools and highly automated testing activities cannot adequately test the business logic baked into an application. While some tools claim to perform complete testing, no automated technology solution on the market today can perform true business logic testing. The process requires the human element that goes well beyond the capabilities of even the most sophisticated automated tools.
3. Penetration Testing Reports Don’t Have to Be Mundane
We can all agree that there isn’t much enjoyment in reading pages and pages of pentesting data presented in static excel or PDF documents. Now picture what the paperwork for a once-a-year penetration testing report. Gulp! Much like many of us consume the daily news headlines, so too should CISOs view the daily “headlines” of their vulnerability management programming through the display of live pentest report results.
Under this scenario, less time is spent analyzing penetration testing report data, opening valuable time to give to the important work of remediation. Insist on the following pentest report deliverables in your penetration testing program:
- Actionable, consumable discovery results to automatically correlate and normalize all of the data collected from multiple open source and proprietary tools.
- High quality documentation and reports related to all work delivered, including step-by-step screen-capture details and tester commentary for every successful manual attack.
4. Stay Ahead of the Attacks Through Remediation
To stay ahead of the every 39-second hacks every day, it’s important to enable fast and continuous remediation efforts to keep a threat actor at bay. This goes hand in hand with testing, analyzing, and reporting: if you’re not continuously testing for vulnerabilities, it’s highly probable that the issues remain unresolved. Layer in these remediation best practices into your pentesting program:
- Industry standard and expert specific mitigation recommendations for all identified vulnerabilities.
- Traceability and archiving of all of the work done to make each subsequent round of testing for your organization more efficient and effective.
Factoring these considerations—always on testing, manual testing, real-time reporting, and remediation—into the planning and design of penetration testing programs will significantly minimize the risk of damage or disruption that could occur in an organization, and dramatically boost the security of your cyber assets.