Skip to main content

Rethinking pen testing

(Image credit: Image Credit: BeeBright / Shutterstock)

We live in a society that’s seemingly teetering on the edge. We’re constantly ‘drilled’ and tested for our preparedness to disaster or crisis – earthquakes, fires, accidents, and more. We may sigh and question the regularity or purpose of these tests, but we know that, should the worst happen, we’ll have a pretty good idea about how to react accordingly to ensure our safety. As our world becomes increasingly online and connected, this emergency preparedness takes on a new meaning. With organisations coming under fire from hungry cybercriminals, it’s evident that the internet has opened up a new frontier – of opportunity and of risk. But are we adequately prepared to tackle this online threat head on?

Are you ready?

There are many different ways that an organisation can test its cyber preparedness. While, on a larger scale, models are being created to help assess the public sector’s ability to defend against online threats – the State of California and its ‘Cybersecurity Maturity Metrics’ (opens in new tab) being the most recent example – individual organisations need to tap into the latest tools, techniques and resources to help identify vulnerabilities and plug any gaps before hackers metaphorically worm their way into networks and systems. One of these techniques is penetration testing, but are organisations actually using this insightful method effectively, or just ticking boxes for the board in a bid to show some awareness of cyber preparedness?

What is pen testing?

By definition, pen testing involves simulating cyber attacks on an organisation’s network of computer systems in order to evaluate how secure those systems are. The aim is to identify any weaknesses or vulnerabilities, and how likely it is for unauthorised parties to gain access to the organisation’s data.  Imagine the organisation’s network of computers is a brick wall, and you take a sledgehammer to that wall. Your shoulder might start to ache as you’re swinging the hammer, but you’re ultimately trying to create or uncover weaknesses that prove the wall isn’t structurally sound. If you can make the whole wall fall, then the metaphorical organisation has some serious security issues to resolve.  Alternatively, instead of a sledgehammer, you could use a highly focused laser to pierce the wall.  Either way, you are evaluating the effectiveness of the wall against various forms of attack.

In a pen test, the assessors are trying to model what real-world attackers do – find vulnerabilities and, under controlled circumstances, exploit them. The ultimate goal is to holistically understand and manage business risk. It’s a reliable and comprehensive way to think outside of the box and take a more creative approach to cybersecurity. But there’s more to it than just simple button pushing.

Under pressure

In a post-GDPR world, organisations are under much more scrutiny to ensure their systems and data are appropriately protected. Failure to do so will result in reputational damage, regulatory oversight, hefty fines and, in some cases, incarceration. Just look at Facebook, which has confessed to losing one million monthly active users (opens in new tab) since GDPR came into effect in May. As a result of increasing compliance, many organisations are attempting to use what they are calling “pen testing” as a way of superficially demonstrating adherence to new regulation. But many of these organisations aren’t conducting true, in-depth, high business-value penetration tests.  Instead, they conduct what I tend to call RCPTs (Really Crappy Pen Tests) that are fundamentally flawed because they’re not designed to do anything more than button pushing – they’re not going to find anything significant or real because they haven’t been designed to do so. It’s a ‘face saving’ exercise and cursory vulnerability scan that gives pen testing a bad name – expensive and ineffective.

Too often, penetration testing is being used as a box-ticking exercise, particularly for credit industries and other heavily regulated sectors. For example, the Payment Card Industry Data Security Standard requires regular pen testing, particularly after system changes. That’s a fine start, but in order for the test to actually have value, it needs to be approached and designed in a different way, rather than hacking for hacking’s sake to get a thumbs up from the ICO.

Testing intelligence

If you’re an organisation solely focused on ticking boxes rather than taking security seriously, then you’ll never be truly secure. Effective pen testing takes real intelligence – a focus on getting to the root causes of insecurity and arming an organisation with the knowledge and tools to prevent and detect attacks, rather than mopping up the fallout of a breach.

In reality, pen testing is just one important tool in an overall arsenal to assess for vulnerabilities and remediate flaws. When done right, pen testing is able to find the subtle weaknesses that may have slipped through the net of other methods. Previous personal examples have been relatively simple things, such as finding open file servers on a company’s network that contained formulas crucial to their business technology and operations. People are inherently fallible, and these types of servers can only be created with a human element. It is that human element that is so important when it comes to pen testing. While many industry professionals have debated the value and role of the human in pen testing, as opposed to automating everything, in my opinion it’s what gives the whole exercise value. A machine can’t keep scratching at a wall trying to find a tiny crack, nor can it think like a criminal would and try completely unorthodox methods to complete a task. So, does ‘proper’ pen testing have value? Of course, and in fact the market has spoken.

In the mid-90s, the pen testing industry was relatively small. By 2021, it is estimated that it will be worth $1.72 (opens in new tab) Billion. Why such growth? As we connect more things to the internet – cars, phones, apps, toothbrushes – we introduce potential risk. If manufacturers want to sell new, connected things to society in a safe and secure way, they need a real pen tester who is going to help identify and mitigate potential chinks in the armour before a product gets into the hands of consumers.  The pen testing industry is experiencing rapid growth because nearly everything – new products, services, and businesses – needs to have its security scrutinised by exposing it to a simulated attack.

Be smart

We hack because we learn, and in turn, that hacking and learning improves our security posture. Five years ago, if someone had asked the industry why we pen test, we would have said something along the lines of “because we want to provide business value by finding flaws before the bad guys do, so you can fix them”. Now the reasoning behind pen testing is subtler but more powerful; we pen test so we can better understand business risk that stems from vulnerabilities and to better understand how to apply limited resources to best address that risk. Pen testers must therefore be seen as business risk partners, not just another tool to test defences and tick a compliance box, which unfortunately they often have become. This older mentality needs to be quashed to ensure the quality, and the very name, of pen testing endures.

Ed Skoudis, Faculty Fellow and Penetration Testing Lead at SANS Institute (opens in new tab)
Image Credit: BeeBright / Shutterstock

Ed Skoudis has taught cyber incident response and advanced penetration testing techniques to more than 12,000 cybersecurity professionals. He is a SANS Institute Faculty Fellow and the lead for the SANS Penetration Testing Curriculum. Ed led the team that built NetWars, the cyber training and skills assessment ranges used by military units and corporations with major assets at risk.