Think about this for a moment — global CEOs rank cyber risk as a top concern ahead of macroeconomic volatility, health risks, climate change or even geopolitical crises. What’s worse, they represent organizations that are deploying top-tier security tools, teams and security measures. So where is everyone going wrong?
Truth is, cybersecurity is more than just committing resources, drawing up policies or building up defenses. What organizations need is proactive, multi-layered defense in depth and an approach to routinely weed out security gaps and fine-tune security measures in line with the identified loopholes. This is where penetration testing comes in: Validating cybersecurity defenses and stress testing it in the real-world environment using techniques and methods that an attacker would typically employ.
Penetration Testing Has Several Business Benefits
One of the foremost benefits of penetration testing is that it helps organizations ward off threats before they become disruptive events, helping to identify security weaknesses before cybercriminals can exploit them.
Pentesting becomes even more relevant if the business relies on third-party applications, outsourced services, or cloud infrastructure. Another business benefit which is not so obvious is that pentesting can help businesses save a lot of money on costs associated with recovery and remediation from cyber-attacks and breaches. The average cost of a data breach is $3.6 million per incident (and rising) and there are a multitude of other hidden costs (downtime, reputation, insurance premiums, loss of customers, etc.) that are not so apparent or explicitly calculated.
Penetration tests also help avoid compliance violations and hefty fines since most regulatory standards such as HIPAA, SOC 2, GDPR, PCI DSS, and ISO 27001 mandate annual penetration tests. Additionally, if organizations are wanting to secure insurers to underwrite their cybercrime risk, then regular penetration testing will help provide tangible data that businesses can use to negotiate policy coverage and insurance premiums with cyber insurers. Penetration testing is also a great tool to test the effectiveness of security measures and results from penetration tests can be leveraged by security leaders to justify security investments and budgetary decisions.
Choosing the Right Pen Test
Choosing the right pen test can be confusing since there are numerous types of pen tests and pen test methodologies available. Before you engage a pentester it’s important to consider factors such as:
- What is it that you’d like to test? Is it your network, your applications, your devices, your wireless, your cloud environments?
- What is the outcome you are looking to achieve?
- Is it uncovering vulnerabilities or attaining compliance?
Remember changes in the business environment or risk profile may affect pentest requirements. Once you’re clear on what your end goal is, zero-in on the type of pentest you need. The most common types include:
- Network Testing (assessment of your internal and external infrastructure to test on-premise and cloud networks, firewalls, routers, switches, devices and systems);
- Wireless Testing (identifying rogue access points, weaknesses in organizations’ WLAN and WPA vulnerabilities);
- Web Application Testing (testing web applications for weaknesses in design, coding and development practices);
- Mobile Application Testing (testing mobile applications to identify weaknesses in authentication, authorization, data leakage and session handling);
- Build and Configuration Review (identify misconfigurations across web and app servers, routers and firewalls).
Pentests also vary in focus, depth, duration, and secrecy so it’s important to choose the right testing methodology, i.e.,blackbox approach or whitebox approach. Whitebox testing is an approach where details of your infrastructure, systems and target are shared with ethical hackers. Such an approach helps maximize testing outcomes but does not exactly represent a real-world scenario. Blackbox testing in contrast is an approach where ethical hackers mimic a real adversary and are not given any prior information or insight into the target environment. While hackers have an infinite amount of time pentests are limited by budgets, so whitebox testing is typically the best approach.
Pentesters use a combination of human knowledge and tools to run a variety of tests. Some pentesters also use automation pentesting software to run penetration tests. Unfortunately, such tools will only superficially detect some obvious vulnerabilities. Automated is for frequent testing whereas manual relies on human expertise and connects the dots that automated testing cannot. Experience shows creativity and manual work make a big difference in test results. Especially when it comes to identifying things like business logic errors and authorization flaws, expertise will always outshine automated tools.
As businesses evolve and become increasingly dependent on technology, cyber risks vulnerabilities will evolve along-side those changes and pentesting will become an even more critical and continuous requirement. Finding the right provider is the key, someone who not only has the expertise to detect a wide range of vulnerabilities, but also provides an actionable plan to help you need to remediate them. One thing is clear though, pentesting is probably one of the greatest tools we have in our fight against cybercrime.
About the Author
Michelle Drolet is CEO of Towerwall, a specialized cybersecurity firm offering compliance and professional onsite services with clients such as Foundation Medicine, Boston College and Middlesex Savings Bank. Founded in 1999 in Framingham, MA, Towerwall focuses exclusively on providing small to mid-size businesses customized cybersecurity technology programs. Reach her at michelled@towerwall.com.