Four Must-Have Elements of an Always-On Cyber Security Program
Let’s face it. The chefs in our lives were right when preaching the “clean as you go” philosophy while cooking. Keeping counters and utensils washed and put back in place helps thwart the influx of bacteria and spread of cross contamination that could make us sick. Shouldn’t that same philosophy apply to cyber security, too? Foregoing a “clean as you go” program and conducting a penetration test just once each year may check a compliance box, but ultimately prove to be unsuccessful when it comes to protecting your network and assets from the potential “bacteria” that can enter at any time.
Systems and applications in any organization become alarmingly vulnerable if monitored under a one-and-done scenario. An ongoing and continuous vulnerability management or penetration testing program is an important guard against the potential threat to your technology assets that hackers pose nearly every second of the day. In fact, a University of Maryland study says that hackers attack every 39 seconds (on average 2,244 times a day). Think of how vulnerable your technology assets are in this environment if only tested once a year.
As an aid to help put structure around a continuous penetration testing program, here are four core considerations that should be a key part of an always-on security program.
1. Prevent Breaches with an ‘Always On’ Testing Mentality
There’s no doubt about it: attack surfaces grow and evolve around the clock. With network configurations, new tools and applications, and third-party integrations coming online constantly, an atmosphere is being created that opens the possibility of unidentified security gaps. This white paper points to the fact that cyber-attacks can affect your business and are, unfortunately, almost as prevalent as natural disasters and extreme weather events. And we know from our own NetSPI research that nearly 70 percent of CISO security leaders are concerned about network vulnerabilities after implementing new security tools.
And those CISOs’ concerns are not unfounded: take for example, the recent announcement from the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). It published security advice for organizations that may have rushed out Office 365 deployments to support remote working during the coronavirus pandemic. A ZDNet article says that CISA warns it continues to see organizations that have failed to implement security best practices for their Office 365 implementation. It is concerned that hurried deployments may have led to important security configuration oversights that could be exploited by attackers. With continuous pentesting in place, security leaders can identify high risk vulnerabilities in real-time to ultimately close security gaps faster.
2. Automation is a Tool; Human Logic is Critical
It’s a fact that good pentesters use automated scanning tools (ideally from many different sources) and run frequent vulnerability discovery and assessment scans in the overall pentesting process. Scanning is generally considered an addition to manual, deep dive pentests conducted by an ethical hacker. When correctly understood, manual pentesting leverages the findings from automated vulnerability and risk assessment scanning tools to pick critical targets for experienced human pentesters to: 1) verify as high-fidelity rather than chasing false-positives, and then 2) to consider exploiting as possible incremental steps in a serious effort to eventually gain privileged access somewhere important on the network.
Purely automated tools or highly automated testing activities cannot adequately perform testing of the business logic baked into the application under the test. While some tools claim to perform complete testing, no automated technology solution on the market today can perform true business logic testing. The process requires the human element that goes well beyond the capabilities of even the most sophisticated automated tools.
3. Reporting Doesn’t Have to be Mundane
We can all agree that there isn’t much enjoyment in reading pages and pages of testing data presented in static excel or PDF documents. Now picture what the paperwork might look like if it is a once-a-year penetration testing report. Gulp! Much like many of us consume the daily news headlines, so too should CISOs view the daily “headlines” of their vulnerability management programming through the display of live pentest results.
Under this scenario, less time is spent analyzing report data, opening up valuable time to give to the important work of remediation. Insist on the following report deliverables in your pentesting program:
- Actionable, consumable discovery results to automatically correlate and normalize all of the data collected from multiple open source and proprietary tools.
- High quality documentation and reports related to all work delivered, including step-by-step screen-capture details and tester commentary for every successful manual attack.
4. Stay Ahead of the Attacks Through Remediation
To stay ahead of the every 39-second hacks every day, it’s important to enable fast and continuous remediation efforts to keep a threat actor at bay. This goes hand in hand with testing, analyzing, and reporting: if you’re not continuously testing for vulnerabilities, it’s highly probable that the issues remain unresolved. Layer in these remediation best practices into your pentesting program:
- Industry standard and expert specific mitigation recommendations for all identified vulnerabilities.
- Traceability and archiving of all of the work done to make each subsequent round of testing for your organization more efficient and effective.