Penetration Testing: How to Get the Most Out of Your Assessment
By Andrew Roberts, Chief Cybersecurity Strategist, cStor
We’ve known for years that Penetration Testing can be a good way to identify weaknesses in your environment and provide guidance to help you improve your overall security posture. In today’s world, we have also learned that penetration testing is a critical, and often required part of your cybersecurity program. There are several factors that determine the amount of benefit that comes from this testing and understanding the options can help you get more value out of your testing dollar.
Penetration Test or Vulnerability Scan?
In the cybersecurity testing world, there are two main types of assessments available: penetration tests and vulnerability scans. For some, these two terms are incorrectly viewed as equivalent and interchangeable. They are not. It’s good to understand the differences.
Vulnerability Scan: Uses one or more scanning tools to identify vulnerabilities in the portions of your network that are included in the scan. While the tester may take some steps to validate vulnerabilities and/or eliminate false positives, they do not take any further manual steps.
Penetration Test: Works to identify weaknesses or vulnerabilities in the portions of your environment that are being tested. Once identified, further steps are taken to exploit those vulnerabilities to gain access, elevate access rights and/or take other unauthorized actions. In most cases, a penetration test starts with a vulnerability scan and then goes much further.
To illustrate the difference between a penetration test and a vulnerability scan, let’s say that Soylent Corporation has hired 2 firms to test their environment. Firm A is asked to do a vulnerability scan and Firm 2 is asked to do a penetration test. Both firms are given an identical scope: Soylent’s entire externally facing IP range.
Firm A’s report states, “One server was found that is far behind on patches. This server should be patched immediately.”
Firm B’s report says, “We were able to elevate our credentials to Administrator-level access and download a confidential database containing all employee salaries, including that of the CEO. This was accomplished by exploiting a server that was far behind on the required security patches. These vulnerabilities can be replicated using the steps below. This server should be patched immediately.”
Which of those is more useful and impactful for Soylent Corporation? It’s hard to know for sure without knowing why Acme was doing that testing.
Reasons for Testing
A few years ago, companies did this kind of testing for one of two reasons: to meet a compliance requirement (“Check the Box”), or to identify unknown weaknesses in the environment to enable improvements and better security. The two tests were different. Times have changed.
Today, everyone should be doing penetration tests with the focus on improving their security posture. Those tests will still meet your compliance requirements, but that is a secondary benefit.
If a penetration test has not been done recently (or ever), it is often good to start with a vulnerability scan. This is faster and less costly. It will also give you the most glaring weaknesses so they can be addressed right away. Once things have been tightened up, move on to penetration testing to get a deeper look at the environment.
As things evolve and become more mature, have the assessment look at different parts of the environment and use different techniques to ensure you don’t end up with a “clean” report. For example, if you have been conducting assessments from the outside attempting to get in and are generally secure from that perspective, it’s time to start doing an assessment that starts inside your firewalls. The results will be enlightening.
Mix It Up
Finding a good testing partner is hard. There are many options in the market and it’s not always easy to differentiate between the good ones and the great ones. Given that trouble, it’s tempting to stick with a single provider once you find one. Resist that temptation.
Testing providers develop one or more methodologies to use with their engagements. These repeatable processes make them more efficient and effective at delivering results to their clients. This is a good thing, but these repeatable processes also mean that many providers approach each engagement from the same perspective, using the same tools and techniques. This is not as beneficial in the long run.
Rotating your testing vendors among two, three or more providers will help you ensure you always get a fresh perspective of your environment using different tools and techniques. The net result – one testing partner will likely find weaknesses missed by another – and you benefit by creating the most robust security environment.
Modernize Your Approach
In the past few years, penetration testing has changed for the better with the introduction of crowd-sourced penetration testing services like Synack. These services can provide testing at your pace – up to continuous testing! They also provide you with many testers (instead of the traditional one or two with a standard penetration test) and granular controls over what gets tested and how rigorously. Delivered in a subscription “as a service” model, companies like Synack can adjust to meet your rapidly changing needs and budgets.