Better Tailored Offensive Assessment
The maturity of an organization’s security program and the number of past assessments should be a critical metric considered when an organization contracts to have any sort of offensive assessment performed. I cannot count the number of times that, while preparing to perform a penetration test, I find that the organization had the exact same assessment at least once before and often for many years running. It is important that this assessment is not being performed simply to “check the box” for compliance. While compliance is an important part of remaining secure, the bar set by most standards is not nearly high enough to truly protect an organization from modern malicious threats. The assessments and scope should be carefully considered from a risk-based and business process standpoint to ensure that the outcome will be used to help improve the security stance of the organization as well as to help meet, or beat, compliance minimums.
Now, it is certainly true that doing the same assessment each year is a lot better than no testing at all. However, if an external penetration test is performed against the same systems year after year, there is little chance of finding any serious issues that were not previously known. Sure, there may very well be a new vulnerability on those systems, but those are usually found by vulnerability scans. Penetration tests and other in-depth offensive assessments are time consuming and generally only performed once or twice a year. This means that once or twice a year most organizations have a limited window of time in which a skilled offensive security professional will dig into any systems or networks they are given authorization to look at. It is the responsibility of leadership to carefully consider their business and security goals and provide a scope of systems that can help them to achieve these goals.
Expand What You Test, Expand What You Know
Continuing to perform the same actions and expecting the results to be different is futile. Should these organizations be performing the exact same test year after year? Does it even seem like the same test will make any significant impact after the first year? The answer to both of these questions is simple and binary: no!
It is perfectly acceptable to simply add to last year’s test – check the same systems plus a new subnet or subset of systems. By performing a penetration test once a year and expanding the scope as the security program matures, the security program will be significantly more mature in just a few years. Also, awareness of vulnerabilities and holes in the network will be remarkably improved.
Penetration testing and other offensive assessments, such as phishing, social engineering and adversary simulations (which will be detailed in the next blog in this series), are most effective when specifically tailored for the target organization’s maturity. For example, if an organization has never had any offensive assessment performed, it would be best for them to start small, with their most critical web-facing systems. After the web-facing infrastructure has been evaluated and remediated, another penetration test of just those systems (the same scope) will not make any major impact on the security stance of the company.
Use the Hacker at Your Disposal
If your organization is considering a penetration test or has already scheduled one, make sure there is a detailed and thorough dialogue between your organization and the tester. Hackers have been attacking systems for a long time, and we know some of the highest risk areas. We can help you determine how to best meet your goals and test the systems that are potentially at the greatest risk.
In all of CynergisTek’s penetration testing offerings, there is a need to limit scopes – money and time are not unlimited. We strive to assist you in finding the greatest value in your offensive assessments. Regardless of the scope or number of IPs that are “included” with your test, we would rather look at a larger picture and help you narrow that down from a risk-based perspective. We will assess the list and help to identify the systems that we believe are most at risk, allowing you to limit the scope as needed without lowering the value that can be gained from the testing performed.
Email firstname.lastname@example.org for more information on CynergisTek’s penetration testing and offensive assessments.