Almost every morning I wake up and read about another company that has been breached, and consumers' or patients' information has been stolen as a result. It's getting to be so common that social security numbers and credit card numbers posted on dark Web sites sell for less than a dollar each. Every time this happens, the public is outraged and the security community starts pointing fingers and asks which company is doing the security testing for the breached organization. "Have they had a penetration test?" "When was it done?" "By which firm?" And the inquisition continues. In many of these breach situations we learn that the company had, indeed, been doing regular penetration testing with a security vendor, so this begs the question: how did they still get hacked? There are a number of reasons for this, however the question I want to focus on is: Are the companies getting the right kind of security testing? And whose responsibility is it to make sure they get the right kind of test in the first place?
A Test by Any Other Name
A penetration test is, by definition, meant to simulate the actions of a skilled attacker finding the paths of least resistance into a network. These are often avenues of attack which cannot be found by automated security tools or scans because they require the attacker to identify the pivot points which expose the smaller weaknesses chained into an attack. These exposures can have devastating effects on an organization, but to find and exploit them, human intelligence is necessary.
Security vendors offer a number of different types of testing; the type that’s eventually conducted should be based on the maturity of the organization’s security program. The most important thing, in my mind, is to accurately assess whether your organization is ready to benefit from having a penetration test. If your company has a lot of known easily exploitable (and easily fixable) issues such as missing patches and default passwords, a penetration test is not going to be beneficial. Get your house in order first, then start to discuss testing with a vendor. While companies should understand their own basic security posture, in my opinion, it is the responsibility of the vendor to arm their sales people with the correct information and questions to help the company determine the type of testing needed to strengthen its existing security program. A testing vendor should be the expert in testing capabilities and outcomes, and it is their obligation to educate the prospective client rather than diving in for the biggest sale.
As a penetration tester, what I often learn is that the organization I am testing has failed to conduct the basic prerequisites to a penetration test. They are not frequently running vulnerability scans, no program to remediate issues is in place, there is no accountability for unpatched systems, written policies that enforce a company’s security program are not established. These are all issues addressed through risk and vulnerability assessments, not pentests. What often happens during the sales process of many testing vendors, however, is that the hype of all of the latest breaches is used as a way to scare customers into thinking they need a full-blown penetration test because it sounds sexy. They use words like “attacker,” “threat actor,” and “cyber kill chain” to enforce the gravity of the situation. What I don’t often see during the sales process is the right questions being asked about a prospect’s current security program. Failure to scope an engagement properly wastes time, effort, and money on behalf of all parties involved.
Consider this situation: Your company purchases a full scope penetration test for $50,000 and the consultants arrive onsite on Monday morning. You feel protected because you have a number of high dollar security products protecting your assets and your sales representatives have assured you that these products will keep you safe. At lunchtime you receive word that the penetration testers have completely owned the entire internal network because of a default password on a developer’s test workstation. How did this happen? Did you just waste $50,000 on something that a $1,200 vulnerability scanner and one of your security analysts should have caught?
So, Now What?
In all likelihood, your company would have been better off with a vulnerability assessment. A penetration test is designed to allow the testers to find one or two paths of least resistance into your network, whereas a vulnerability assessment is designed to create a big picture of the network and uncover low-hanging fruit-type issues that an attacker might easily exploit. A scan, combined with a competent assessor who can manually verify the findings and eliminate false positives, can be a very effective tool for securing your organization, and it allows you to form a pretty accurate picture of the major issues in your organization fairly quickly and thoroughly. More often than not, a company receives a penetration test which uncovers several issues, but because they misunderstand their pentest results and the process and methodology used to generate the results, they fix just the issues exploited by the pentester. As a consequence, the company believes it is now secure when, in fact, a few hundred other machines exist in their enterprise with the same issues.
As a general rule, an organization should buy a penetration test only after it has completed several rounds of vulnerability assessments, either internally or aided by an external vendor. The same vendors who offer penetration tests almost always offer vulnerability assessments as well. If your current vendor is not asking the right questions—How often are vulnerability scans taking place? Has your company implemented a process to fix found issues? Do you run follow up testing to make sure the issues have been remediated?—then it’s time to get a new security vendor. The last thing good penetration testers want is to run a full penetration test when the client really needs a vulnerability assessment; the goal of a pentest is to provide the best value for our clients and equip them with the knowledge they need to become more secure.
About the author: Georgia Weidman is the founder of Shevirah, a provider of testing tools for assessing and managing the risk of mobile devices in the enterprise and testing the effectiveness of enterprise mobility management solutions. She is an experienced penetration tester, securityresearcher, and trainer. Georgia also founded Bulb Security, a securityconsulting firmspecializing in security assessments/penetrationtesting, securitytraining, andresearch/development. Georgia will be speaking on Integrating Mobile Devices into Your Penetration Testing Program at InfoSec World 2016.