How can businesses get the most out of pentesting?
More than 4.5 billion data records were compromised in the first half of this year. If you still feel like your enterprise is secure after reading that statistic, you’re one of the few.
Hackers utilizing high-profile exploits to victimize organizations is becoming an almost daily occurrence, with 18,000 to 19,000 new vulnerabilities estimated to show up in 2018. Here’s the thing though – we can still address the situation and make the current threat landscape more manageable. All that’s really needed is for organizations to adopt a more proactive approach to security. Even the major breaches like WannaCry would have had a much more limited impact if organizations embraced threat hunting, vulnerability testing and other proactive security practices.
Given the number of vulnerabilities that have gone global in the past few years, enterprises can’t afford to keep relying on reactive security. Just hoping that an alert doesn’t go off isn’t a strategy. Instead, groups should embrace penetration testing.
For those unfamiliar with the concept, a typical pentest project consists of a pentester putting on their “evil person” hat and attacking a target, looking to infiltrate the organization in the way that a malicious party would. From there, organizations can see how much access a hacker could get, and what they could do to the environment if/when they got in.
It’s very similar to the way cars are put together – manufactures design it, put together a blueprint and model everything out. But before the car goes to market, they ram it into a bunch of walls so the manufacturer can understand what happens when it fails. Enterprises need to adopt a similar mindset when designing their IT environment. You can’t assume that a machine will always do what it’s designed to do. Someone, somewhere might eventually try to make it do something else, and the enterprise needs to know what degree of success they might have if they tried.
For organizations not knowing where to start when it comes to selecting a pentester, let’s take a look at a few guidelines to follow when starting a project.
Make sure your house is clean
Don’t buy the assessment until you’re ready for the assessment. Before you attempt to jump right in to have someone uncover any potential vulnerabilities, organizations should first make sure to address the issues that they already know about. That will avoid having the pentester waste their time telling the group something they already know. A few examples of vulnerabilities can include, missing data encryption, missing authentication for critical function, unrestricted upload of dangerous file types and many others.
If an organization is aware of a long list of problem areas, then a pentester won’t help much. The goal of pentesting is to uncover issues that the organization is unaware of. So, to get the most out of the process, the organization should feel good about the defenses that are in place before seeking out a provider to perform a penetration test.
Prevent a cookie cutter approach
When working with a pentester, sit down with them and ask what they can do to provide the most benefit to the enterprise. Engaging with the pentester is key, and it will also ensure that both sides are on the same page. Pentesters enjoy that level of engagement and it encourages them to provide a higher level of service and more secure environment in the end.
The goal of penetration testing is to identify the worst case scenario. But through engagement with the pentester, an organization will also be able to understand what the approach is, how they prioritize items and how they help to mitigate the risk that doing the assessment would introduce to the organization. Those are all items that are critical and can only come from direct involvement with not just the sales team, but the individuals providing the service.
Make sure to follow through
Once you have the full report in hand, make sure your organization can patch any issues, and in a reasonable timeframe. It’s very common for organizations to get an assessment done, and a year later the exact same issues and problem spots are still there and open.
Up to 70 percent of bugs remain unpatched four weeks after they are discovered, and close to 55 percent are not resolved after three months. That is a high percentage of organizations that are not fixing vulnerabilities right away. Make sure to clean up any open items and have a real plan in place for acting upon the pentesters report. Otherwise your organization will remain riddled with unpatched vulnerabilities and the whole exercise will be a waste of time and money.
However, organizations also need to understand that they’re never going to have a zero-risk situation. Not all situations are that dramatic, but there is a risk associated with any action. So it’s not a matter of trying to eliminate, rather it’s making sure that your business is positioned in such a manner that the amount of risk is palatable. From there, organizations can optimize their defensive spend based on those sorts of decisions.