We heard, "we need a pen test" from at least a dozen business leaders that visited our SecureWorld booth this year. It's definitely a conversation starter and we'd like to share what we know.
Not a Commodity Solution
When we talk about penetration tests, it's important to emphasize how much variety there is in today's marketplace. Some vendors are heavily focused on network testing, while others dig deep into web applications or cloud services. If asked to deviate from their area of specialization, many providers will decline the business or recommend you speak to a partner.
It's common in the industry for pen test companies to take a software-only approach. They run an automated tool, email you the resulting data, and call it a day. As long as the test meets the minimum requirements to check a box on a compliance form, it's deemed sufficient. How scary is that? Running a one-time test of a limited range of IP addresses isn't "visibility" and contributes little to developing actual resilience to a cyber-attack.
Our view is that penetration tests should combine scanning technology and human intelligence to evaluate an organization's entire technology stack (networks, systems, sites, and applications). Those tests should be part of a larger strategy that is informed by modern frameworks like NIST and Zero Trust. Anything less will give a false sense of security.
With all of that in mind, Envision's leadership put together our RootLevel Security team and created one of our most powerful services we offer, the Comprehensive Network Security Assessment (CNSA). The goal was to go beyond the average pen test and provided ongoing, actionable threat intelligence.
Inside the Mind of a Threat Actor
The word "hacker" has been misapplied so many times that it's starting to lose its meaning. Let's talk about threat actors, because that term is a lot more broad...a threat actor doesn't have to be a foreign government or a shadowy senior IT professional to be dangerous.
A threat actor could be an angry former employee that deletes all of your important files on their way out the door. Or a non-technical amateur with a ransomware-as-a-service package (that includes free customer support if the target doesn't pay up!) Threat actors come in all shapes and sizes, and can originate from anywhere. More often than not, well-meaning employees unwittingly provide bad actors with a way in.
CNSAs are conducted by our Certified Ethical Hackers. That team attacks the way real criminals do - with a multitude of common and custom approaches. While they don't do any actual damage, our team's attempts to get in are indistinguishable from real breach attempts.
In our popular webinar Tales from the Breach: Incident Response Stories from a Hacker's Point of View, our Certified Ethical Hackers shared insights into their process, as well as their perspective on incident response. If you missed it, check it out, it's just as relevant now as when it first aired.
Documentation Really, Really Matters
A company called us up about a year ago and said, "I hired a competitor to perform a pen test. They ran a scan for me and gave me a ten page report. I don't know what the report means or what to do next, can you help?"
The documentation that comes out of a penetration test should be: extremely detailed, business-focused, risk-ranked, and remediation-oriented. Let's talk about each of those elements one at a time.
- Detail is pretty straightforward...a one page report is probably so high level that it isn't actionable. On the other hand, some reports we've seen run hundreds of pages. So it is possible to be so overly descriptive that it becomes noise.
- Reporting should be business-focused. The audience is generally c-suite executives and business owners...the reporting should speak to your concerns without launching into a sales pitch.
- Each vulnerability should be ranked according to the likelihood of exploitation, the level of the exploit, and how much damage can be done if it is exploited. When it comes to cybersecurity, prioritization matters.
- The documentation should serve as the foundation for a remediation plan. If a security gap presents a clear danger to the business, it has to be filled. If not, there's a chance your senior leadership will be held personally liable.
Our RootLevel Security team produces documentation that meets this criteria and takes the time to explain it. If there are remediation opportunities, we work closely with the client to address them. But that isn't common in the industry, so if you aren't getting the support you need from a vendor, don't be shy about asking why.
Summing Up
Achieving sustainable security is every organization's top priority, yet the technology landscape keeps changing. That means that assessments like penetration tests can't be one-and-done. We recommend quarterly CNSAs so our clients can be assured that old vulnerabilities have been remediated and no new ones have popped up.
If you need guidance on penetration testing or cybersecurity in general, we're here to help. We have a consultative model that can arm you with the info you need (whether you ultimately become a client or just a friend). Think of us as a resource and book a little time on our calendar if you want to chat.