How to Save Money on Pen Testing - Part 2Charles Gillman of Moula Money Offers Tips to Maximize Value and Get Great Results
Regular penetration testing, or pen testing, is an essential part of understanding your organization's security posture by mimicking a cyberattack using the same tools, techniques and procedures as an attacker. In Part 1 of this article, I took you through six of 11 simple tips to maximize the value of your next pen test and, in the process, deliver better results. Now, let's cover tips seven through 11.
See Also: Threat Horizons Report
Scoping for the Most Bang for Your Buck
Correctly scoping a pen test is the key to extracting maximum value from your pen testing investment.
Tip 7: Leverage your risk register to create test cases.
Penetration testing is ideal for driving change by exposing risks that you don't know about and sometimes risks you do know about that the business hasn't taken as seriously as it should. Pen testing can help validate the likelihood of those risks.
You can use the Risk Register to define test cases that:
- Bring a risk to realization;
- Prove or disprove assumptions around security controls;
- Prove or disprove exploitability - or even impact.
Trawl the risk register - there will be risks for which the impact is high but the likelihood is low. These make good candidates for company-defined test cases. Or better still, you can choose a risk in the risk register that has high impact that has been accepted.
Bringing these risks to realization can help drive change and get executive or board attention by having a third party reinforce your message.
Tip 8: Rules of engagement to prevent business disruption.
Set rules of engagement with your pen test vendor, especially around the exploitation of vulnerabilities in production environments, which should be reflected in the pen test scope. We've all heard stories of overreach by zealous or inexperienced pen testers. Remember, you will be accountable for their actions.
I like very few rules except for no DDoS and nondestructive testing. Permitting active exploitation means working hand in hand with the testers, daily meetings and a go/no-go decision on exploitation from you and your internal stakeholders before the testers pull the trigger on any exploit.
Exploitation should be detected and blocked well and truly by your security controls. If it isn't, it's time to review the configurations of your security controls and even your investment in your current technology.
The alternative to exploitation is to assume exploitation would be successful and either provide the pen testers with the access they would have gained on that system or stop the testing of the vulnerable system and move onto other systems.
Tip 9: Time-boxing when time or money is tight.
Sometimes project deadlines and, more importantly, project budgets won't extend to the amount of effort a pen test truly deserves. By leveraging the scoping tips above, you can target the highest risks with company-defined test cases and limit the pen test's duration to an agreed length of time, e.g., two weeks. This approach is known as time-boxing.
It is beneficial for systems that have been pen tested many times before and where there has been little change in the environment. Time-boxing is also a good approach to use with objective-based testing.
Time-boxing does come with the risk of a false sense of security, especially if there is an assumption that the system has had a comprehensive pen test and all the vulnerabilities have been discovered.
I only recommend time-boxing in cases in which those scoping the test understand the implications of it fully, and the pen testers can test the given objectives within the time frame.
Validating Your Security Controls
Tip 10: Test that your security controls are working as expected.
Do the often expensive security controls that are in your environment work as intended? Every budget cycle, we lobby for funding to maintain or purchase security controls to address the ever-changing threats, vulnerabilities and resultant risks that face our businesses.
Do the security controls work as the vendor presentation said they would in the pre-sales meeting? Have the controls been implemented and configured correctly to prevent or detect attacks? Do you have blind spots in your monitoring and detection capabilities?
Most pen testers will start "low and slow" and become increasingly more intrusive. What is the threshold where they are detected by each set of controls, if they are detected at all? Can the tester bypass the controls? I once gained access inside a financial institution by getting remote code execution on an unpatched IDS device.
A noisy pen test should light up the dashboards for your security controls like a Christmas tree.
Use the pen test as an opportunity to tune the controls or tighten up configurations - e.g. firewall rules - to ensure the testers or, more importantly, the bad guys are detected earlier next time.
Tip 11: Test your SOC or MSSP to ensure timely detection.
Not informing the SOC or your MSSP of the pen test is an excellent way of testing if those teams are watching the consoles or are drowning in alerts. I've seen pen tests complete or others go almost to completion - including breaching the perimeter - without being detected.
Reviewing how the testers got in and the tools, techniques and processes they used are a great way to help your SOC hone its threat-hunting skills and tune signatures.
The lessons learned from gaps in detection can also help test and uplift your digital forensics and incident response processes.
Summing It Up
Pen testing can uncover infrastructure or vulnerabilities you weren't aware of and help the organization better understand its cybersecurity risks.
By adopting a targeted approach to penetration testing with well-defined scope and test cases that are company- or objective-specific, you can derive maximum value from your penetration testing spend.
CyberEdBoard is ISMG's premier members-only community of senior-most executives and thought leaders in the fields of security, risk, privacy and IT. CyberEdBoard provides executives with a powerful, peer-driven collaborative ecosystem, private meetings and a library of resources to address complex challenges shared by thousands of CISOs and senior security leaders located in 65 different countries worldwide.
Join the Community - CyberEdBoard.io.
Charles Gillman is head of information security at Moula Money. He has over 15 years of experience across security consulting, ethical hacking, cybercrime research, security architecture, security operations and security leadership roles. He built and led information security teams at two of Australia's largest banks before moving to senior roles in the cloud and managed services space.