Penetration Testing: Get More Value From Your Assessment Dollar
By Andrew Roberts, Chief Cybersecurity Strategist, cStor
Penetration testing can be a good way to identify weaknesses in your environment and provide guidance to help you improve your overall security posture. There are several variables in this equation, and understanding the options can help you get more value out of your testing dollar.
Penetration Test or Vulnerability Scan?
In the testing world, there are two main types of tests available: penetration tests (pen-tests) and vulnerability scans. Sometimes these two terms are incorrectly viewed as equivalent and interchangeable. It’s good to understand the differences.
Vulnerability Scan: An assessment that uses one or more scanning tools to identify vulnerabilities in the portions of your network that are included in the scan. While the tester may take some steps to validate vulnerabilities and/or eliminate false-positives, they do not take any further manual steps.
Penetration Test: An assessment that works to identify weaknesses or vulnerabilities in the portions of your environment that are being tested. Once identified, further steps are taken to exploit those vulnerabilities to gain access, elevate their access rights or take other unauthorized actions. In most cases, a penetration test starts with a vulnerability scan and then goes much further.
To illustrate the difference between a penetration test and vulnerability scan, let’s assume Acme Company hires 2 firms to test their environment. Firm A is asked to do a vulnerability scan and Firm B is asked to do a penetration test.
Firm A’s report states, “One server was found that is far behind on patches. This server should be patched immediately.”
Firm B’s report says, “We were able to elevate our credentials to Administrator-level access and download a confidential database containing all employee salaries, including that of the CEO. This was accomplished by exploiting a server that was far behind on the required security patches. This server should be patched immediately.”
Which of those is more useful and impactful for Acme Company? It’s hard to know for sure without knowing why Acme was doing that testing.
Reasons for Testing
When companies do this kind of testing, it’s typically for one of two reasons: to meet a compliance requirement (“Check the Box”), or to identify unknown weaknesses in the environment to enable improvements and better security. In most (but not all) cases, a vulnerability scan is sufficient to check the required box. While these compliance-driven assessments have their place, they generally don’t go far enough to provide real value and show you specific areas where security can be improved.
Even if compliance-driven assessments are completed regularly, every company should also be conducting other assessments designed to find areas of weakness that call for improvement. A clean report is not the goal; actionable information is. If your assessment ends without identifying a good amount of weaknesses, something is wrong – possibly the scope, rules of engagement, testing scenario or your testing provider.
As environments evolve and become more mature, have the assessment look at different parts of the environment and use different techniques to ensure you don’t end up with a “clean” report. For example, if you have been conducting assessments from the outside attempting to get in and are generally secure from that perspective, it’s time to start doing an assessment that starts inside your firewalls. The results will be enlightening.
Mix It Up
Finding a good testing partner is hard. There are many options in the market and it’s not always easy to differentiate between the good ones and the great ones. Given that trouble, it’s tempting to stick with a single provider once you find one. Resist that temptation.
Testing providers develop one or more methodologies to use with their engagements. These repeatable processes make them more efficient and effective at delivering results to their clients. This is a good thing, but these repeatable processes also mean that many providers approach each engagement from the same perspective, using the same tools and techniques. This is not as beneficial in the long run.
Rotating your testing vendors among two, three or more providers will help you ensure you always get a fresh perspective of your environment using different tools and techniques. The net result – one testing partner will likely find weaknesses missed by another – and you benefit by creating the most robust security environment.