Penetration testing

Pentesting as part of an organizational security program

Daniel Brecht
July 16, 2019 by
Daniel Brecht

Introduction

Robust IT security programs are a must for any organizations that rely more and more on information system infrastructures to manage data, activities, business procedures and relations with clients. As so much is stored and processed through a company’s IT systems, no business, regardless of size and type of industry, is safe from attackers and malicious hackers. 

A comprehensive approach is needed to help protect a network from cyber-related incidents before they occur. This must be a multi-faceted approach, including a variety of information assurance (IA) practices, tools, policies and procedures. 

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Medium-to-large companies often employ internal IT security teams that can perform risk analysis and incident detection activities to devise effective incident response plans and procedures. They often use automated tools to perform vulnerability scanning tests and also dedicate themselves to users’ education and awareness. In addition, they conduct formal audits to cover all relevant areas of their action plans and test them periodically to ensure all parts run smoothly and to correct deficiencies and weaknesses. Some companies decide to employ the services of outside consulting companies in place of or to complement the work of internal teams. 

Regardless of who an organization decides to entrust with the security of its IT infrastructure, an important component of a security program should be pentesting. This type of security review has become a best practice and can address corrective efforts for IT security weaknesses. Pentesters perform scenario-based testing on a variety of applications, platforms and technologies; services are tailored to the needs of clients who want to measure how effective their security posture is and which IT infrastructural changes, if any, are needed to ensure an efficient and effective information security program.


The need for a multi-faceted business security plan

Security experts cannot stress enough the importance of taking a proactive approach against cyberthreats. Those striving for a better security culture will harness a plan that emphasizes speed, preventive controls and rapid response. 

So what constitutes a good security program? Given the complexity of today’s IT architecture and the sophistication of many hacking attempts, a good security program needs to include a variety of activities that can address any possible vulnerabilities and inefficiencies in the established defenses. Vulnerability scanning tools and intrusion prevention and detection applications and techniques need to be applied, but you’ll also need a consistent calendar of testing and audits need to be implemented. In addition, you’ll need a robust set of policies to be enforced for the protection of users, data and systems. 

The weak link in the chain

Users can be one of the weakest links of the cyberassurance chain, and a good security plan needs to emphasize the need for awareness training. As many malicious attempts target employees through social engineering techniques or exploit vulnerabilities inattentively created by their browsing or improper use of devices, training and clear guidelines must be at the center of any program to turn users in the first line of defense against possible intrusions.

An effective IT security program, then, needs to include provisions for end users’ adherence to security policies, procedures, guidelines and standards (which are a necessary foundation of organizational security program), as well as an efficient remediation plan that takes into consideration a possible failure of the defenses in place. It’s essential to carefully document all steps involved in remediation, as well as backup and contingency plans.

Once all defenses are in place, users are trained and plans are made in case of trouble, what else can a business do to preserve its IT assets? A security plan can include professional security pentesting or audit services tailored to the needs of the organization. That can be used to determine whether the plan is in line with the organization’s objectives and, at the same time, find out if it is effective enough or needs amending. 

To protect the confidentiality, integrity and availability of assets, certified pentest professionals are hired to assess potential risks and vulnerabilities of all the computed information that an organization creates, receives, maintains or transmits. As organizations shift their security programs towards a risk management focus, pentesting can help improve readiness by helping to properly tune and optimize both the cybersecurity program and the technologies deployed to implement the risk management controls.

Why penetration testing?

Why penetration testing? Simply put, the process to scan, test, hack and secure systems can be a solution to combat insider or outsider threats. Penetration testing simulates real cyberattack scenarios and can detect suspicious or malicious behavior patterns as part of an active/passive information gathering phase. Professional pentesters can evaluate the internal and external risk factors that could cause harm to the organization’s operations and assets while reviewing the effectiveness of security controls in place. 

A pentester can provide internal testing, an assessment from inside the corporate network that mimics an insider’s attack by an authorized user with standard access privileges. External testing is also conducted by breaking through firewalls and intrusion detection/prevention systems (IDPS) to learn about how an outside attacker can get in and exploit once they've gained access. The professional then prepares reports that are vital to the success of an action plan to help avoid weaknesses recurring. 

A pentest can be used to test all parts of an organization's security program, including its policy compliance and the organization's ability to identify and respond to security incidents. Pentesting goes beyond a vulnerability scanning to provide businesses with more information on their readiness. A pentester’s value is not only in finding potential problems but also in documenting any user training needs, or even the security team that needs guidance.

The difference between these IA professionals and other security experts is that pentesters approach a business IT system as a malicious hacker would, with the only difference being that they are authorized to do so. Employing a variety of hacking techniques and social engineering efforts, they go beyond the scope of automated tools and intrusion detection software and can better find “holes” in the systems or internal threats. They are also very effective for real-life testing of new systems that are ready to be online. Pentesters are supposed to think and act like real-life hackers would. 

Internal versus contracted penetration tester teams

Having an internal penetration testing team is the obvious choice for many employers who’d rather entrust the safety of their data and applications to loyal employees than engage external consulting companies. Pentesting means gaining access to sensitive data and acquiring rights and credentials that could put the entire business at risk if in the wrong hands. Penetration testers can very well be part of existing security teams, especially in medium-to-large businesses.

Becoming a penetration tester does not require a specialized degree, but IT security professionals can be trained as ethical or “white hat” hackers to make this a career. They can become experts by attending courses and programs to gain theory and practice. Certifications can also prove the employee’s ability in pentesting and can guide students through roadmaps that lead to their growth as ethical hackers, leading them to be hired internally or externally for their services.

In-house penetration testers can be a great asset for a company that can rely on expert testing skills on demand and can count on continuous services and monitoring. This solution, however, is not viable for all organizations. Smaller companies, for example, might prefer to outsource pentesting services by entrusting the job to specialized companies that employ expert, certified professionals that are either freelance or employed in a firm, of course, with a proven track record and references. 

Outsourcing, however, is not just for businesses that don’t have the means to employ an in-house pentesting team. Larger organizations might also be interested in the services of specialized consultants who can bring the experience of having “attacked” several different enterprises with diverse infrastructures. The possibility of having an independent, external entity evaluate security procedures and readiness can be effective and eliminate the problem of possible complacency (even involuntary) of in-house teams. From a cybersecurity perspective, outsourcing can provide the additional resources to gain greater control of the total security infrastructure for a period of time at a consistent fee.

Obviously, trust is an important issue when considering such options. Companies need to be cautious when outsourcing penetration testing services, as it requires implicit trust in the third-party vendor and its ability to vet employees and provide trustworthy, trained, experienced consultants. Bomgar Corporation, in its Vendor Vulnerability report, discusses the results of a survey conducted in February 2016 that addressed “a general awareness of the threats posed by ineffective management and poor visibility of vendor access… 69% [of respondents who were all IT professionals across the U.S. and parts of Europe employed in various sectors] say they definitely or possibly suffered a security breach resulting from vendor access.” This becomes a “security threat to not just your business, but to your employees and customers,” Bomgar stated.

In many cases where systems were breached, the fault was attributed to placing too much trust in the vendors that were contracted, giving them full, unrestricted access to their systems and security controls. 

But it is not all bad news for businesses looking to outsource. A recent survey conducted by OnePoll on behalf of LogRhythm found that 70% of breaches were detected by a third party rather than by the organization itself. So it's a good idea to bring a fresh view from the outside periodically to perform penetration testing. And penetration testing needs to be more than a one-time exercise to analyze vulnerabilities, fix security issues and safeguard sensitive data.

Conclusion

The tremendous value of pentesting is to provide real-time visibility into the most critical vulnerabilities that may reside within computer, network-connected devices at the workplace. A pentester looks for suspicious activity and reports them. The process provides a better understanding of the risky behaviors and/or activities that are being undertaken by misguided employees or, worse yet, caused by malicious outsiders that have targeted them.

Considering the serious (often cyber-related) incidents impacting so many businesses, ethical hacking and penetration testing professionals can be the go-to specialists to gain an in-depth understanding of the organization’s security posture in aim to deter online criminals. So pentesting as part of an organizational security program is beneficial, as the test is a suitable process in verifying which of the potential vulnerabilities and attack paths can actually lead to a security compromise or exposure. In fact, after implementing security measures, enforcing policies and training users, businesses can use pentesting to test-drive the system and try its resilience against real-life attacks.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

 

Sources

  1. Every company needs to have a security program, AppliedTrust
  2. Best practice in outsourcing security, ComputerWeekly
  3. Vendor Vulnerability: How to Prevent the Security Risk of Third-Party Suppliers, Bomgar
  4. As Cyberattacks Evolve, So Should the Corporate Response, The Wall Street Journal
  5. The Benefits of Outsourcing Vulnerability Services, HackLabs
  6. Outsourcing – the weakest link?, The Cyber Security Expert
  7. Penetration Testing: DIY or Hire a Pen Tester?, eSecurity Planet
  8. Article 29 Working Party still not happy with Windows 10 privacy controls, SC Magazine
  9. 10 Costly Myths About Outsourcing Your IT, Tie National, LLC
  10. How to Make the Most of Your Pen Test, Security Intelligence
  11. Don’t Be Fooled! There’s No Such Thing as an Automated Penetration Test., PCI Compliance Guide
Daniel Brecht
Daniel Brecht

Daniel Brecht has been writing for the Web since 2007. His interests include computers, mobile devices and cyber security standards. He has enjoyed writing on a variety of topics ranging from cloud computing to application development, web development and e-commerce. Brecht has several years of experience as an Information Technician in the military and as an education counselor. He holds a graduate Certificate in Information Assurance and a Master of Science in Information Technology.